From f627e5581c479013e067494c5af71adf13aa260a Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Thu, 13 Apr 2017 21:58:12 -0700
Subject: [PATCH] restore permissions to /vendor for non-treble devices

Relabeling /vendor and /system/vendor to vendor_file removed
previously granted permissions. Restore these for non-treble devices.

Addresses:
avc: denied { execute_no_trans } for pid=2944 comm="dumpstate"
path="/system/vendor/bin/wpa_cli" dev="mmcblk0p10" ino=1929
scontext=u:r:dumpstate:s0 tcontext=u:object_r:vendor_file:s0
tclass=file

And potentially some other bugs that have yet to surface.

Bug: 37105075
Test: build Fugu
Change-Id: I8e7bd9c33819bf8206f7c110cbce72366afbcef8
---
 private/app.te             | 3 ++-
 public/dhcp.te             | 1 +
 public/dumpstate.te        | 1 +
 public/install_recovery.te | 1 +
 public/netd.te             | 1 +
 public/ppp.te              | 1 +
 public/racoon.te           | 1 +
 public/vold.te             | 1 +
 8 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/private/app.te b/private/app.te
index c3f44ddb9..651800005 100644
--- a/private/app.te
+++ b/private/app.te
@@ -87,8 +87,9 @@ allow appdomain oemfs:file rx_file_perms;
 
 # Execute the shell or other system executables.
 allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
 allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
+not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;')
 
 # Renderscript needs the ability to read directories on /system
 allow appdomain system_file:dir r_dir_perms;
diff --git a/public/dhcp.te b/public/dhcp.te
index c18b08d68..22351edcc 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -9,6 +9,7 @@ allow dhcp self:packet_socket create_socket_perms_no_ioctl;
 allow dhcp self:netlink_route_socket nlmsg_write;
 allow dhcp shell_exec:file rx_file_perms;
 allow dhcp system_file:file rx_file_perms;
+not_full_treble(`allow dhcp vendor_file:file rx_file_perms;')
 
 # dhcpcd runs dhcpcd-hooks/*, which runs getprop / setprop (toolbox_exec)
 allow dhcp toolbox_exec:file rx_file_perms;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index bfbb43bca..3322e1468 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -26,6 +26,7 @@ allow dumpstate self:capability {
 #   /system/bin/logcat
 #   /system/bin/dumpsys
 allow dumpstate system_file:file execute_no_trans;
+not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
 allow dumpstate toolbox_exec:file rx_file_perms;
 
 # Create and write into /data/anr/
diff --git a/public/install_recovery.te b/public/install_recovery.te
index 06794ee1e..9a2a9ee05 100644
--- a/public/install_recovery.te
+++ b/public/install_recovery.te
@@ -10,6 +10,7 @@ allow install_recovery shell_exec:file rx_file_perms;
 
 # Execute /system/bin/applypatch
 allow install_recovery system_file:file rx_file_perms;
+not_full_treble(allow install_recovery vendor_file:file rx_file_perms;')
 
 allow install_recovery toolbox_exec:file rx_file_perms;
 
diff --git a/public/netd.te b/public/netd.te
index 3a48cd389..1694aecdf 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -27,6 +27,7 @@ allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
 allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
 allow netd shell_exec:file rx_file_perms;
 allow netd system_file:file x_file_perms;
+not_full_treble(`allow netd vendor_file:file x_file_perms;')
 allow netd devpts:chr_file rw_file_perms;
 
 # Acquire advisory lock on /system/etc/xtables.lock
diff --git a/public/ppp.te b/public/ppp.te
index 7a5eada59..918ef5e7f 100644
--- a/public/ppp.te
+++ b/public/ppp.te
@@ -17,6 +17,7 @@ allow ppp mtp:unix_dgram_socket rw_socket_perms;
 allow ppp ppp_device:chr_file rw_file_perms;
 allow ppp self:capability net_admin;
 allow ppp system_file:file rx_file_perms;
+not_full_treble(`allow ppp vendor_file:file rx_file_perms;')
 allow ppp vpn_data_file:dir w_dir_perms;
 allow ppp vpn_data_file:file create_file_perms;
 allow ppp mtp:fd use;
diff --git a/public/racoon.te b/public/racoon.te
index d5d5a4ef1..00744d8f1 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -19,6 +19,7 @@ allow racoon self:capability { net_admin net_bind_service net_raw };
 
 # XXX: should we give ip-up-vpn its own label (currently racoon domain)
 allow racoon system_file:file rx_file_perms;
+not_full_treble(`allow racoon vendor_file:file rx_file_perms;')
 allow racoon vpn_data_file:file create_file_perms;
 allow racoon vpn_data_file:dir w_dir_perms;
 
diff --git a/public/vold.te b/public/vold.te
index 89e2c2471..20181d113 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -31,6 +31,7 @@ allow vold shell_exec:file rx_file_perms;
 typeattribute vold mlstrustedsubject;
 allow vold self:process setfscreate;
 allow vold system_file:file x_file_perms;
+not_full_treble(`allow vold vendor_file:file x_file_perms;')
 allow vold block_device:dir create_dir_perms;
 allow vold device:dir write;
 allow vold devpts:chr_file rw_file_perms;
-- 
GitLab