Merge "Update selinux policy for policyvers retrieval."

ca69bb23 · Yifan Hong · Android (Google) Code Review · 77d7c5d1 · 5b3494eb · ca69bb23
Commit ca69bb23 authored 7 years ago by Yifan Hong Committed by Android (Google) Code Review 7 years ago
--- a/private/app.te
+++ b/private/app.te
@@ -478,7 +478,6 @@ neverallow appdomain
 neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
 # SELinux is not an API for apps to use
-neverallow { appdomain -shell } selinuxfs:file no_rw_file_perms;
 neverallow { appdomain -shell } *:security { compute_av check_context };
 neverallow { appdomain -shell } *:netlink_selinux_socket *;

--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -166,6 +166,9 @@ neverallow all_untrusted_apps {
  -hidl_token_hwservice # Designed for use by any domain
 }:hwservice_manager find;
+# SELinux is not an API for untrusted apps to use
+neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
 # Restrict *Binder access from apps to HAL domains. We can only do this on full
 # Treble devices where *Binder communications between apps and HALs are tightly
 # restricted.

--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -108,6 +108,9 @@ allow priv_app preloads_media_file:dir r_dir_perms;
 # Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
 allow priv_app keystore:keystore_key gen_unique_id;
+# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
+allow priv_app selinuxfs:file r_file_perms;
 read_runtime_log_tags(priv_app)
 ###

--- a/public/recovery.te
+++ b/public/recovery.te
@@ -75,6 +75,9 @@ recovery_only(`
  allow recovery functionfs:dir search;
  allow recovery functionfs:file rw_file_perms;
+  # Access to /sys/fs/selinux/policyvers for compatibility check
+  allow recovery selinuxfs:file r_file_perms;
  # Required to e.g. wipe userdata/cache.
  allow recovery device:dir r_dir_perms;
  allow recovery block_device:dir r_dir_perms;