From 939d16b59f08c083c026899550d0128dfe49072a Mon Sep 17 00:00:00 2001
From: Sandeep Patil <sspatil@google.com>
Date: Fri, 24 Mar 2017 12:24:43 -0700
Subject: [PATCH] service_contexts: label service_contexts explicitly
The label applies to all service_contexts regardless of their location.
This also lets us track the service_contexts usage and limit access to
the files for the corresponding object manager alone.
Bug: 36002427
Test: Boot sailfish and observe no denials for 'serice_contexts'
Test: cts-tradefed run singleCommand cts --skip-device-info \
--skip-preconditions --skip-connectivity-check \
--abi arm64-v8a --module CtsSecurityHostTestCases \
-t android.security.cts.SELinuxHostTest#testAospServiceContexts
Change-Id: I97fc8b24bc99ca5c00d010fb522cd39a35572858
Signed-off-by: Sandeep Patil <sspatil@google.com>
---
private/adbd.te | 1 +
private/file_contexts | 6 ++++--
public/file.te | 3 +++
public/servicemanager.te | 3 ++-
4 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/private/adbd.te b/private/adbd.te
index 73302acd1..80c6a016f 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -100,6 +100,7 @@ allow adbd system_file:file r_file_perms;
allow adbd selinuxfs:dir r_dir_perms;
allow adbd selinuxfs:file r_file_perms;
allow adbd kernel:security read_policy;
+allow adbd service_contexts_file:file r_file_perms;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
diff --git a/private/file_contexts b/private/file_contexts
index 5c0bc67c6..90df77cc8 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -50,8 +50,8 @@
/nonplat_seapp_contexts u:object_r:rootfs:s0
/plat_seapp_contexts u:object_r:rootfs:s0
/sepolicy u:object_r:rootfs:s0
-/plat_service_contexts u:object_r:rootfs:s0
-/nonplat_service_contexts u:object_r:rootfs:s0
+/plat_service_contexts u:object_r:service_contexts_file:s0
+/nonplat_service_contexts u:object_r:service_contexts_file:s0
##########################
# Devices
@@ -250,12 +250,14 @@
/system/bin/vr_wm u:object_r:vr_wm_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
+/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
#############################
# Vendor files
#
/vendor(/.*)? u:object_r:system_file:s0
/vendor/etc/selinux/nonplat_property_contexts u:object_r:property_contexts_file:s0
+/vendor/etc/selinux/nonplat_service_contexts u:object_r:service_contexts_file:s0
#############################
# OEM and ODM files
diff --git a/public/file.te b/public/file.te
index 1ef7a355c..72af4855c 100644
--- a/public/file.te
+++ b/public/file.te
@@ -259,6 +259,9 @@ type gps_control, file_type;
# property_contexts file
type property_contexts_file, file_type;
+# service_contexts file
+type service_contexts_file, file_type;
+
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow sysfs_type sysfs:filesystem associate;
diff --git a/public/servicemanager.te b/public/servicemanager.te
index 46b3b0e80..7ad32fc6d 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -11,7 +11,8 @@ type servicemanager_exec, exec_type, file_type;
allow servicemanager self:binder set_context_mgr;
allow servicemanager { domain -init }:binder transfer;
-r_dir_file(servicemanager, rootfs)
+# Access to all (system and vendor) service_contexts
+allow servicemanager service_contexts_file:file r_file_perms;
# Check SELinux permissions.
selinux_check_access(servicemanager)
--
GitLab