Merge "Add target for vndservice_contexts." into oc-dev am: c3a9e7df

am: f89f35ec Change-Id: I34301b22c7ee6e041326f37ffd398245672fe926

Merge "Add target for vndservice_contexts." into oc-dev am: c3a9e7df
am: f89f35ec Change-Id: I34301b22c7ee6e041326f37ffd398245672fe926
f09591ef · Martijn Coenen · android-build-merger · 6875f9d1 · f89f35ec · f09591ef
Commit f09591ef authored 8 years ago by Martijn Coenen Committed by android-build-merger 8 years ago
--- a/Android.mk
+++ b/Android.mk
@@ -1067,6 +1067,37 @@ nonplat_service_contexts.tmp :=
 ##################################
 include $(CLEAR_VARS)
+LOCAL_MODULE := vndservice_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+ifeq ($(PRODUCT_FULL_TREBLE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+else
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+endif
+include $(BUILD_SYSTEM)/base_rules.mk
+vnd_svcfiles := $(call build_policy, vndservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+vndservice_contexts.tmp := $(intermediates)/vndservice_contexts.tmp
+$(vndservice_contexts.tmp): PRIVATE_SVC_FILES := $(vnd_svcfiles)
+$(vndservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(vndservice_contexts.tmp): $(vnd_svcfiles)
+	@mkdir -p $(dir $@)
+	$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(vndservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+	@mkdir -p $(dir $@)
+	sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
+vnd_svcfiles :=
+vndservice_contexts.tmp :=
+##################################
+include $(CLEAR_VARS)
 LOCAL_MODULE := plat_mac_permissions.xml
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_TAGS := optional

--- a/private/file_contexts
+++ b/private/file_contexts
@@ -52,6 +52,7 @@
 /sepolicy           u:object_r:sepolicy_file:s0
 /plat_service_contexts   u:object_r:service_contexts_file:s0
 /nonplat_service_contexts   u:object_r:service_contexts_file:s0
+/vndservice_contexts   u:object_r:vndservice_contexts_file:s0
 ##########################
 # Devices
@@ -271,6 +272,7 @@
 /vendor/etc/selinux/nonplat_sepolicy.cil       u:object_r:sepolicy_file:s0
 /vendor/etc/selinux/precompiled_sepolicy        u:object_r:sepolicy_file:s0
 /vendor/etc/selinux/precompiled_sepolicy.plat.sha256 u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/vndservice_contexts         u:object_r:vndservice_contexts_file:s0
 #############################
 # OEM and ODM files

--- a/public/file.te
+++ b/public/file.te
@@ -276,6 +276,9 @@ type sepolicy_file, file_type;
 # service_contexts file
 type service_contexts_file, file_type;
+# vndservice_contexts file
+type vndservice_contexts_file, file_type;
 # Allow files to be created in their appropriate filesystems.
 allow fs_type self:filesystem associate;
 allow sysfs_type sysfs:filesystem associate;

--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -12,6 +12,8 @@ allow servicemanager self:binder set_context_mgr;
 allow servicemanager { domain -init }:binder transfer;
 # Access to all (system and vendor) service_contexts
+# TODO(b/36866029) access to nonplat_service_contexts
+#                  should not be allowed on full treble devices
 allow servicemanager service_contexts_file:file r_file_perms;
 # Check SELinux permissions.

--- a/vendor/vndservicemanager.te
+++ b/vendor/vndservicemanager.te
@@ -10,5 +10,8 @@ allow vndservicemanager { domain -coredomain -init }:binder transfer;
 allow vndservicemanager vndbinder_device:chr_file rw_file_perms;
+# Read vndservice_contexts
+allow vndservicemanager vndservice_contexts_file:file r_file_perms;
 # Check SELinux permissions.
 selinux_check_access(vndservicemanager)