Merge changes from topic 'vnd-sepol' into oc-dev

* changes: Allow 'su' domain access to vndbinder. Modify checkfc to check (vnd|hw)service_manager_type.

Merge changes from topic 'vnd-sepol' into oc-dev
* changes: Allow 'su' domain access to vndbinder. Modify checkfc to check (vnd|hw)service_manager_type.
f497d0b7 · TreeHugger Robot · Android (Google) Code Review · 42424f13 · cf741dd7 · f497d0b7
Commit f497d0b7 authored 7 years ago by TreeHugger Robot Committed by Android (Google) Code Review 7 years ago
--- a/Android.mk
+++ b/Android.mk
@@ -1091,7 +1091,7 @@ $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
 $(LOCAL_BUILT_MODULE): $(vndservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
 	@mkdir -p $(dir $@)
 	sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
-	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
+	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -v $(PRIVATE_SEPOLICY) -e $@

 vnd_svcfiles :=
 vndservice_contexts.tmp :=

--- a/public/su.te
+++ b/public/su.te
@@ -10,6 +10,9 @@ userdebug_or_eng(`
  # Add su to various domains
  net_domain(su)

+  # grant su access to vndbinder
+  vndbinder_use(su)
+
  dontaudit su self:capability_class_set *;
  dontaudit su kernel:security *;
  dontaudit su kernel:system *;
@@ -34,6 +37,8 @@ userdebug_or_eng(`
  dontaudit su property_type:property_service *;
  dontaudit su property_type:file *;
  dontaudit su service_manager_type:service_manager *;
+  dontaudit su hwservice_manager_type:hwservice_manager *;
+  dontaudit su vndservice_manager_type:vndservice_manager *;
  dontaudit su servicemanager:service_manager list;
  dontaudit su keystore:keystore_key *;
  dontaudit su domain:drmservice *;

--- a/tools/checkfc.c
+++ b/tools/checkfc.c
@@ -15,12 +15,16 @@
 static const char * const CHECK_FC_ASSERT_ATTRS[] = { "fs_type", "dev_type", "file_type", NULL };
 static const char * const CHECK_PC_ASSERT_ATTRS[] = { "property_type", NULL };
 static const char * const CHECK_SC_ASSERT_ATTRS[] = { "service_manager_type", NULL };
+static const char * const CHECK_HW_SC_ASSERT_ATTRS[] = { "hwservice_manager_type", NULL };
+static const char * const CHECK_VND_SC_ASSERT_ATTRS[] = { "vndservice_manager_type", NULL };

 typedef enum filemode filemode;
 enum filemode {
    filemode_file_contexts = 0,
    filemode_property_contexts,
-    filemode_service_contexts
+    filemode_service_contexts,
+    filemode_hw_service_contexts,
+    filemode_vendor_service_contexts
 };

 static struct {
@@ -55,6 +59,10 @@ static const char * const *filemode_to_assert_attrs(filemode mode)
        return CHECK_PC_ASSERT_ATTRS;
    case filemode_service_contexts:
        return CHECK_SC_ASSERT_ATTRS;
+    case filemode_hw_service_contexts:
+        return CHECK_HW_SC_ASSERT_ATTRS;
+    case filemode_vendor_service_contexts:
+        return CHECK_VND_SC_ASSERT_ATTRS;
    }
    /* die on invalid parameters */
    fprintf(stderr, "Error: Invalid mode of operation: %d\n", mode);
@@ -185,10 +193,13 @@ static int validate(char **contextp)
 }

 static void usage(char *name) {
-    fprintf(stderr, "usage1:  %s [-p|-s] [-e] sepolicy context_file\n\n"
+    fprintf(stderr, "usage1:  %s [-l|-p|-s|-v] [-e] sepolicy context_file\n\n"
        "Parses a context file and checks for syntax errors.\n"
-        "The context_file is assumed to be a file_contexts file\n"
-        "unless the -p or -s option is used to indicate the property or service backend respectively.\n"
+        "If -p is specified, the property backend is used.\n"
+        "If -s is specified, the service backend is used to verify binder services.\n"
+        "If -l is specified, the service backend is used to verify hwbinder services.\n"
+        "If -v is specified, the service backend is used to verify vndbinder services.\n"
+        "Otherwise, context_file is assumed to be a file_contexts file\n"
        "If -e is specified, then the context_file is allowed to be empty.\n\n"

        "usage2:  %s -c file_contexts1 file_contexts2\n\n"
@@ -332,7 +343,7 @@ int main(int argc, char **argv)

  filemode mode = filemode_file_contexts;

-  while ((c = getopt(argc, argv, "cpse")) != -1) {
+  while ((c = getopt(argc, argv, "clpsve")) != -1) {
    switch (c) {
      case 'c':
        compare = true;
@@ -348,6 +359,14 @@ int main(int argc, char **argv)
        mode = filemode_service_contexts;
        backend = SELABEL_CTX_ANDROID_SERVICE;
        break;
+      case 'l':
+        mode = filemode_hw_service_contexts;
+        backend = SELABEL_CTX_ANDROID_SERVICE;
+        break;
+      case 'v':
+        mode = filemode_vendor_service_contexts;
+        backend = SELABEL_CTX_ANDROID_SERVICE;
+        break;
      case 'h':
      default:
        usage(argv[0]);