mac_permissions: explicitly label all mac_permissions files

*mac_permissions.xml files need to be explicitly labeled as they are now split cross system and vendor and won't have the generic world readable 'system_file' or 'rootfs' label. Bug: 36003167 Test: no new 'mac_perms_file' denials at boot complete on sailfish Test: successfully booted into recovery without denials and sideloaded OTA update. Test: Launch 'chrome' and succesfully load a website. Test: Launch Camera and take a picture. Test: Launch Camera and record a video, succesfully playback recorded video Change-Id: I1c882872bb78d1242ba273756ef0dc27487f58fc Signed-off-by: Sandeep Patil <sspatil@google.com>

mac_permissions: explicitly label all mac_permissions files
*mac_permissions.xml files need to be explicitly labeled as they are now split cross system and vendor and won't have the generic world readable 'system_file' or 'rootfs' label. Bug: 36003167 Test: no new 'mac_perms_file' denials at boot complete on sailfish Test: successfully booted into recovery without denials and sideloaded OTA update. Test: Launch 'chrome' and succesfully load a website. Test: Launch Camera and take a picture. Test: Launch Camera and record a video, succesfully playback recorded video Change-Id: I1c882872bb78d1242ba273756ef0dc27487f58fc Signed-off-by: Sandeep Patil <sspatil@google.com>
bb24f3ab · Sandeep Patil · 136caa1b · bb24f3ab · bb24f3ab · bb24f3ab
Commit bb24f3ab authored 8 years ago by Sandeep Patil
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -249,6 +249,7 @@
 /system/bin/virtual_touchpad     u:object_r:virtual_touchpad_exec:s0
 /system/bin/vr_wm                u:object_r:vr_wm_exec:s0
 /system/bin/hw/android\.hidl\.allocator@1\.0-service          u:object_r:hal_allocator_default_exec:s0
+/system/etc/selinux/plat_mac_permissions.xml u:object_r:mac_perms_file:s0
 /system/etc/selinux/plat_property_contexts  u:object_r:property_contexts_file:s0
 /system/etc/selinux/plat_service_contexts  u:object_r:service_contexts_file:s0
 /system/etc/selinux/plat_file_contexts  u:object_r:file_contexts_file:s0
@@ -261,6 +262,7 @@
 #
 /vendor(/.*)?		u:object_r:system_file:s0
 /vendor/etc/selinux/mapping_sepolicy.cil       u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/nonplat_mac_permissions.xml u:object_r:mac_perms_file:s0
 /vendor/etc/selinux/nonplat_property_contexts   u:object_r:property_contexts_file:s0
 /vendor/etc/selinux/nonplat_service_contexts    u:object_r:service_contexts_file:s0
 /vendor/etc/selinux/nonplat_file_contexts   u:object_r:file_contexts_file:s0

--- a/private/system_server.te
+++ b/private/system_server.te
@@ -232,6 +232,8 @@ allow system_server mediadrmserver:udp_socket rw_socket_perms;
 # Get file context
 allow system_server file_contexts_file:file r_file_perms;
+# access for mac_permissions
+allow system_server mac_perms_file: file r_file_perms;
 # Check SELinux permissions.
 selinux_check_access(system_server)

--- a/public/file.te
+++ b/public/file.te
@@ -259,6 +259,9 @@ type gps_control, file_type;
 # file_contexts files
 type file_contexts_file, file_type;
+# mac_permissions file
+type mac_perms_file, file_type;
 # property_contexts file
 type property_contexts_file, file_type;