From bb24f3abe1d09b1e8d8377683484d3d4589d8f45 Mon Sep 17 00:00:00 2001
From: Sandeep Patil <sspatil@google.com>
Date: Mon, 27 Mar 2017 12:06:04 -0700
Subject: [PATCH] mac_permissions: explicitly label all mac_permissions files

*mac_permissions.xml files need to be explicitly labeled as they are now split
cross system and vendor and won't have the generic world readable
'system_file' or 'rootfs' label.

Bug: 36003167
Test: no new 'mac_perms_file' denials at boot complete on sailfish
Test: successfully booted into recovery without denials and sideloaded
      OTA update.
Test: Launch 'chrome' and succesfully load a website.
Test: Launch Camera and take a picture.
Test: Launch Camera and record a video, succesfully playback recorded
      video

Change-Id: I1c882872bb78d1242ba273756ef0dc27487f58fc
Signed-off-by: Sandeep Patil <sspatil@google.com>
---
 private/file_contexts    | 2 ++
 private/system_server.te | 2 ++
 public/file.te           | 3 +++
 3 files changed, 7 insertions(+)

diff --git a/private/file_contexts b/private/file_contexts
index 4735191c5..668714491 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -249,6 +249,7 @@
 /system/bin/virtual_touchpad     u:object_r:virtual_touchpad_exec:s0
 /system/bin/vr_wm                u:object_r:vr_wm_exec:s0
 /system/bin/hw/android\.hidl\.allocator@1\.0-service          u:object_r:hal_allocator_default_exec:s0
+/system/etc/selinux/plat_mac_permissions.xml u:object_r:mac_perms_file:s0
 /system/etc/selinux/plat_property_contexts  u:object_r:property_contexts_file:s0
 /system/etc/selinux/plat_service_contexts  u:object_r:service_contexts_file:s0
 /system/etc/selinux/plat_file_contexts  u:object_r:file_contexts_file:s0
@@ -261,6 +262,7 @@
 #
 /vendor(/.*)?		u:object_r:system_file:s0
 /vendor/etc/selinux/mapping_sepolicy.cil       u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/nonplat_mac_permissions.xml u:object_r:mac_perms_file:s0
 /vendor/etc/selinux/nonplat_property_contexts   u:object_r:property_contexts_file:s0
 /vendor/etc/selinux/nonplat_service_contexts    u:object_r:service_contexts_file:s0
 /vendor/etc/selinux/nonplat_file_contexts   u:object_r:file_contexts_file:s0
diff --git a/private/system_server.te b/private/system_server.te
index 698ae8ead..ddeeb1b97 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -232,6 +232,8 @@ allow system_server mediadrmserver:udp_socket rw_socket_perms;
 
 # Get file context
 allow system_server file_contexts_file:file r_file_perms;
+# access for mac_permissions
+allow system_server mac_perms_file: file r_file_perms;
 # Check SELinux permissions.
 selinux_check_access(system_server)
 
diff --git a/public/file.te b/public/file.te
index bc54c347f..c19005dca 100644
--- a/public/file.te
+++ b/public/file.te
@@ -259,6 +259,9 @@ type gps_control, file_type;
 # file_contexts files
 type file_contexts_file, file_type;
 
+# mac_permissions file
+type mac_perms_file, file_type;
+
 # property_contexts file
 type property_contexts_file, file_type;
 
-- 
GitLab