From f62362da5222f621339a62e177cd376f7439e1e8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?M=C3=A5rten=20Kongstad?= <marten.kongstad@sony.com>
Date: Fri, 15 Jun 2018 08:08:19 +0200
Subject: [PATCH] Add idmap2 and idmap2d

Bug: 78815803
Test: builds, boots
Test: manual: adb shell idmap2 create ...
Test: manual: adb shell ps | grep -e idmap2d
Change-Id: I60852e15d99329896ff9de6559d1e7cd1c67e33d
---
 private/compat/28.0/28.0.ignore.cil | 1 +
 private/file_contexts               | 1 +
 private/idmap.te                    | 2 ++
 private/service_contexts            | 1 +
 private/system_server.te            | 2 ++
 public/idmap.te                     | 8 +++++++-
 public/service.te                   | 1 +
 7 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 617291e1f..2caedda3e 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -34,6 +34,7 @@
     heapprofd
     heapprofd_exec
     heapprofd_socket
+    idmap_service
     intelligence_service
     iris_service
     llkd
diff --git a/private/file_contexts b/private/file_contexts
index 6d64c9b65..282120ca2 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -277,6 +277,7 @@
 /system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
 /system/bin/flags_health_check -- u:object_r:flags_health_check_exec:s0
 /system/bin/idmap u:object_r:idmap_exec:s0
+/system/bin/idmap2(d)?           u:object_r:idmap_exec:s0
 /system/bin/update_engine        u:object_r:update_engine_exec:s0
 /system/bin/bspatch              u:object_r:update_engine_exec:s0
 /system/bin/storaged             u:object_r:storaged_exec:s0
diff --git a/private/idmap.te b/private/idmap.te
index 73abf3552..c982783b9 100644
--- a/private/idmap.te
+++ b/private/idmap.te
@@ -1 +1,3 @@
 typeattribute idmap coredomain;
+
+init_daemon_domain(idmap)
diff --git a/private/service_contexts b/private/service_contexts
index cdf652161..55c2a3522 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -67,6 +67,7 @@ hardware                                  u:object_r:hardware_service:s0
 hardware_properties                       u:object_r:hardware_properties_service:s0
 hdmi_control                              u:object_r:hdmi_control_service:s0
 ians                                      u:object_r:radio_service:s0
+idmap                                     u:object_r:idmap_service:s0
 incident                                  u:object_r:incident_service:s0
 inputflinger                              u:object_r:inputflinger_service:s0
 input_method                              u:object_r:input_method_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 01f02119a..c2033dbbd 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -186,6 +186,7 @@ binder_call(system_server, binderservicedomain)
 binder_call(system_server, dumpstate)
 binder_call(system_server, fingerprintd)
 binder_call(system_server, gatekeeperd)
+binder_call(system_server, idmap)
 binder_call(system_server, installd)
 binder_call(system_server, incidentd)
 binder_call(system_server, netd)
@@ -656,6 +657,7 @@ allow system_server fingerprintd_service:service_manager find;
 allow system_server hal_fingerprint_service:service_manager find;
 allow system_server gatekeeper_service:service_manager find;
 allow system_server gpu_service:service_manager find;
+allow system_server idmap_service:service_manager find;
 allow system_server incident_service:service_manager find;
 allow system_server installd_service:service_manager find;
 allow system_server keystore_service:service_manager find;
diff --git a/public/idmap.te b/public/idmap.te
index 0899faa2a..d76558aee 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -2,9 +2,11 @@
 type idmap, domain;
 type idmap_exec, system_file_type, exec_type, file_type;
 
+# STOPSHIP remove /system/bin/idmap and the link between idmap and installd (b/118711077)
 # Use open file to /data/resource-cache file inherited from installd.
 allow idmap installd:fd use;
-allow idmap resourcecache_data_file:file { getattr read write };
+allow idmap resourcecache_data_file:file create_file_perms;
+allow idmap resourcecache_data_file:dir rw_dir_perms;
 
 # Ignore reading /proc/<pid>/maps after a fork.
 dontaudit idmap installd:file read;
@@ -18,3 +20,7 @@ r_dir_file(idmap, vendor_app_file)
 
 # Allow apps access to /vendor/overlay
 r_dir_file(idmap, vendor_overlay_file)
+
+# Allow the idmap2d binary to register as a service and communicate via AIDL
+binder_use(idmap)
+add_service(idmap, idmap_service)
diff --git a/public/service.te b/public/service.te
index 8024a78cc..f6741805a 100644
--- a/public/service.te
+++ b/public/service.te
@@ -10,6 +10,7 @@ type fingerprintd_service,      service_manager_type;
 type hal_fingerprint_service,   service_manager_type;
 type gatekeeper_service,        app_api_service, service_manager_type;
 type gpu_service,               service_manager_type;
+type idmap_service,             service_manager_type;
 type iorapd_service,            service_manager_type;
 type inputflinger_service,      service_manager_type;
 type incident_service,          service_manager_type;
-- 
GitLab