From 431a03bb9f35f69adb358f1ffd9689a2de802da2 Mon Sep 17 00:00:00 2001
From: Martijn Coenen <maco@google.com>
Date: Fri, 11 Aug 2017 14:49:56 +0200
Subject: [PATCH] Prevent access to nonplat_service_contexts on full_treble.

On Full Treble devices, servicemanager should only service
services from the platform service_contexts file.

Created new type to separate plat_ and nonplat_service_contexts,
and added new type to mapping (although I don't think this type
should have been used by vendors).

Bug: 36866029
Test: Marlin/Taimen boot
Change-Id: Ied112c64f22f8486a7415197660faa029add82d9
---
 prebuilts/api/26.0/26.0.cil | 2 +-
 private/file_contexts       | 4 ++--
 public/file.te              | 3 +++
 public/servicemanager.te    | 5 ++---
 4 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/prebuilts/api/26.0/26.0.cil b/prebuilts/api/26.0/26.0.cil
index 4a78695ff..40bec840f 100644
--- a/prebuilts/api/26.0/26.0.cil
+++ b/prebuilts/api/26.0/26.0.cil
@@ -537,7 +537,7 @@
 (typeattributeset serial_device_26_0 (serial_device))
 (typeattributeset serialno_prop_26_0 (serialno_prop))
 (typeattributeset serial_service_26_0 (serial_service))
-(typeattributeset service_contexts_file_26_0 (service_contexts_file))
+(typeattributeset service_contexts_file_26_0 (service_contexts_file nonplat_service_contexts_file))
 (typeattributeset servicediscovery_service_26_0 (servicediscovery_service))
 (typeattributeset servicemanager_26_0 (servicemanager))
 (typeattributeset servicemanager_exec_26_0 (servicemanager_exec))
diff --git a/private/file_contexts b/private/file_contexts
index 7f9f5129e..b9247b9d2 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -51,7 +51,7 @@
 /sepolicy           u:object_r:sepolicy_file:s0
 /plat_service_contexts   u:object_r:service_contexts_file:s0
 /plat_hwservice_contexts   u:object_r:hwservice_contexts_file:s0
-/nonplat_service_contexts   u:object_r:service_contexts_file:s0
+/nonplat_service_contexts   u:object_r:nonplat_service_contexts_file:s0
 /nonplat_hwservice_contexts   u:object_r:hwservice_contexts_file:s0
 /vndservice_contexts   u:object_r:vndservice_contexts_file:s0
 
@@ -297,7 +297,7 @@
 
 /vendor/etc/selinux/nonplat_mac_permissions.xml u:object_r:mac_perms_file:s0
 /vendor/etc/selinux/nonplat_property_contexts   u:object_r:property_contexts_file:s0
-/vendor/etc/selinux/nonplat_service_contexts    u:object_r:service_contexts_file:s0
+/vendor/etc/selinux/nonplat_service_contexts    u:object_r:nonplat_service_contexts_file:s0
 /vendor/etc/selinux/nonplat_hwservice_contexts    u:object_r:hwservice_contexts_file:s0
 /vendor/etc/selinux/nonplat_file_contexts   u:object_r:file_contexts_file:s0
 /vendor/etc/selinux/nonplat_seapp_contexts    u:object_r:seapp_contexts_file:s0
diff --git a/public/file.te b/public/file.te
index dfc5bcd9f..72f22feea 100644
--- a/public/file.te
+++ b/public/file.te
@@ -313,6 +313,9 @@ type sepolicy_file, file_type;
 # service_contexts file
 type service_contexts_file, file_type;
 
+# nonplat service_contexts file (only accessible on non full-treble devices)
+type nonplat_service_contexts_file, file_type;
+
 # hwservice_contexts file
 type hwservice_contexts_file, file_type;
 
diff --git a/public/servicemanager.te b/public/servicemanager.te
index 3cf5a464d..7fa56f802 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -16,10 +16,9 @@ allow servicemanager {
   -vndservicemanager
 }:binder transfer;
 
-# Access to all (system and vendor) service_contexts
-# TODO(b/36866029) access to nonplat_service_contexts
-#                  should not be allowed on full treble devices
 allow servicemanager service_contexts_file:file r_file_perms;
+# nonplat_service_contexts only accessible on non full-treble devices
+not_full_treble('allow servicemanager nonplat_service_contexts_file:file r_file_perms;')
 
 # Check SELinux permissions.
 selinux_check_access(servicemanager)
-- 
GitLab