diff options
| author | Tri Vo <trong@google.com> | 2019-01-16 11:57:19 -0800 |
|---|---|---|
| committer | Tri Vo <trong@google.com> | 2019-01-16 12:54:32 -0800 |
| commit | 503f1852ba568472a96a8b13b4926a2670f5794e (patch) | |
| tree | 9dc8e2337ec5383cd28fceee3bf15c47a34ff79a /init | |
| parent | 173a02b4395d2cf7be2c9922b6d428cec2596367 (diff) | |
| download | system_core-503f1852ba568472a96a8b13b4926a2670f5794e.tar.gz system_core-503f1852ba568472a96a8b13b4926a2670f5794e.tar.bz2 system_core-503f1852ba568472a96a8b13b4926a2670f5794e.zip | |
init: load /product selinux mapping file
/system/etc/selinux/mapping/V.v.cil is being split into /system and
/product parts.
Change init to account for /product/etc/selinux/mapping/V.v.cil mapping
file when merging SELinux policies.
Bug: 119305624
Test: boot taimen
Test: "cnd" type is declared in /vendor; "dataservice_app" type is
declared in /product. This permission is preserved
"allow cnd dataservice_app:binder { transfer call };"
Change-Id: I65995a75041044ae71c148d655a70c5efd3b84cc
Diffstat (limited to 'init')
| -rw-r--r-- | init/selinux.cpp | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/init/selinux.cpp b/init/selinux.cpp index e4da52c31..ad399ae64 100644 --- a/init/selinux.cpp +++ b/init/selinux.cpp @@ -304,13 +304,18 @@ bool LoadSplitPolicy() { if (!GetVendorMappingVersion(&vend_plat_vers)) { return false; } - std::string mapping_file("/system/etc/selinux/mapping/" + vend_plat_vers + ".cil"); + std::string plat_mapping_file("/system/etc/selinux/mapping/" + vend_plat_vers + ".cil"); std::string product_policy_cil_file("/product/etc/selinux/product_sepolicy.cil"); if (access(product_policy_cil_file.c_str(), F_OK) == -1) { product_policy_cil_file.clear(); } + std::string product_mapping_file("/product/etc/selinux/mapping/" + vend_plat_vers + ".cil"); + if (access(product_mapping_file.c_str(), F_OK) == -1) { + product_mapping_file.clear(); + } + // vendor_sepolicy.cil and plat_pub_versioned.cil are the new design to replace // nonplat_sepolicy.cil. std::string plat_pub_versioned_cil_file("/vendor/etc/selinux/plat_pub_versioned.cil"); @@ -340,7 +345,7 @@ bool LoadSplitPolicy() { "-m", "-M", "true", "-G", "-N", // Target the highest policy language version supported by the kernel "-c", version_as_string.c_str(), - mapping_file.c_str(), + plat_mapping_file.c_str(), "-o", compiled_sepolicy, // We don't care about file_contexts output by the compiler "-f", "/sys/fs/selinux/null", // /dev/null is not yet available @@ -350,6 +355,9 @@ bool LoadSplitPolicy() { if (!product_policy_cil_file.empty()) { compile_args.push_back(product_policy_cil_file.c_str()); } + if (!product_mapping_file.empty()) { + compile_args.push_back(product_mapping_file.c_str()); + } if (!plat_pub_versioned_cil_file.empty()) { compile_args.push_back(plat_pub_versioned_cil_file.c_str()); } |