Skip to content
Snippets Groups Projects
Commit 59e9d2d8 authored by Tri Vo's avatar Tri Vo Committed by Gerrit Code Review
Browse files

Merge "SELinux type for vendor public libs."

parents c4ec97ab 29497b62
No related branches found
No related tags found
No related merge requests found
...@@ -562,7 +562,9 @@ ...@@ -562,7 +562,9 @@
(typeattributeset runas_exec_26_0 (runas_exec)) (typeattributeset runas_exec_26_0 (runas_exec))
(typeattributeset runtime_event_log_tags_file_26_0 (runtime_event_log_tags_file)) (typeattributeset runtime_event_log_tags_file_26_0 (runtime_event_log_tags_file))
(typeattributeset safemode_prop_26_0 (safemode_prop)) (typeattributeset safemode_prop_26_0 (safemode_prop))
(typeattributeset same_process_hal_file_26_0 (same_process_hal_file)) (typeattributeset same_process_hal_file_26_0
( same_process_hal_file
vendor_public_lib_file))
(typeattributeset samplingprofiler_service_26_0 (samplingprofiler_service)) (typeattributeset samplingprofiler_service_26_0 (samplingprofiler_service))
(typeattributeset scheduling_policy_service_26_0 (scheduling_policy_service)) (typeattributeset scheduling_policy_service_26_0 (scheduling_policy_service))
(typeattributeset sdcardd_26_0 (sdcardd)) (typeattributeset sdcardd_26_0 (sdcardd))
......
...@@ -1278,7 +1278,9 @@ ...@@ -1278,7 +1278,9 @@
(typeattributeset runas_exec_27_0 (runas_exec)) (typeattributeset runas_exec_27_0 (runas_exec))
(typeattributeset runtime_event_log_tags_file_27_0 (runtime_event_log_tags_file)) (typeattributeset runtime_event_log_tags_file_27_0 (runtime_event_log_tags_file))
(typeattributeset safemode_prop_27_0 (safemode_prop)) (typeattributeset safemode_prop_27_0 (safemode_prop))
(typeattributeset same_process_hal_file_27_0 (same_process_hal_file)) (typeattributeset same_process_hal_file_27_0
( same_process_hal_file
vendor_public_lib_file))
(typeattributeset samplingprofiler_service_27_0 (samplingprofiler_service)) (typeattributeset samplingprofiler_service_27_0 (samplingprofiler_service))
(typeattributeset scheduling_policy_service_27_0 (scheduling_policy_service)) (typeattributeset scheduling_policy_service_27_0 (scheduling_policy_service))
(typeattributeset sdcardd_27_0 (sdcardd)) (typeattributeset sdcardd_27_0 (sdcardd))
......
...@@ -116,6 +116,10 @@ r_dir_file(appdomain, vendor_overlay_file) ...@@ -116,6 +116,10 @@ r_dir_file(appdomain, vendor_overlay_file)
# for vendor provided libraries. # for vendor provided libraries.
r_dir_file(appdomain, vendor_framework_file) r_dir_file(appdomain, vendor_framework_file)
# Allow apps read / execute access to vendor public libraries.
allow appdomain vendor_public_lib_file:dir r_dir_perms;
allow appdomain vendor_public_lib_file:file { execute read open getattr map };
# Execute dex2oat when apps call dexclassloader # Execute dex2oat when apps call dexclassloader
allow appdomain dex2oat_exec:file rx_file_perms; allow appdomain dex2oat_exec:file rx_file_perms;
......
...@@ -1024,6 +1024,7 @@ full_treble_only(` ...@@ -1024,6 +1024,7 @@ full_treble_only(`
-same_process_hal_file -same_process_hal_file
-vndk_sp_file -vndk_sp_file
-vendor_app_file -vendor_app_file
-vendor_public_lib_file
}:file execute; }:file execute;
') ')
...@@ -1402,3 +1403,11 @@ neverallow { ...@@ -1402,3 +1403,11 @@ neverallow {
coredomain coredomain
-init -init
} mnt_vendor_file:dir *; } mnt_vendor_file:dir *;
# Only apps are allowed access to vendor public libraries.
full_treble_only(`
neverallow {
coredomain
-appdomain
} vendor_public_lib_file:file { execute execute_no_trans };
')
...@@ -149,6 +149,9 @@ type vndk_sp_file, vendor_file_type, file_type; ...@@ -149,6 +149,9 @@ type vndk_sp_file, vendor_file_type, file_type;
type vendor_framework_file, vendor_file_type, file_type; type vendor_framework_file, vendor_file_type, file_type;
# Default type for everything in /vendor/overlay # Default type for everything in /vendor/overlay
type vendor_overlay_file, vendor_file_type, file_type; type vendor_overlay_file, vendor_file_type, file_type;
# Type for all vendor public libraries. These libs should only be exposed to
# apps. ABI stability of these libs is vendor's responsibility.
type vendor_public_lib_file, vendor_file_type, file_type;
# /metadata partition itself # /metadata partition itself
type metadata_file, file_type; type metadata_file, file_type;
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment