Google Git
Sign in
android / device / google / dragon / 59f42f3^! / .
commit59f42f390529e64cd36fb60a203033717ea05d57[log] [tgz]
authorSandeep Patil <sspatil@google.com>Mon Apr 03 11:17:56 2017 -0700
committerSandeep Patil <sspatil@google.com>Wed Apr 05 13:58:50 2017 -0700
tree4e198afec2829821b5970af0cbf69a3656a0f72a
parentbad1a2a6ad043426649997816206ca476795428a [diff]
vendor: ensure all non-treble devices get same access to /vendor

Make sure vendor_file is added everywhere system_file access is granted
to vendor processes. This guarantees non-treble device policy is not
altered (made stricter) in any way after the relabeling.

Bug: 36527360

All tests were run on Angler, bullhead, sailfish, dragon

Test: Boot and connect to wifi
Test: Run chrome and load websites, play video in youtube, load maps w/
      current location, take pictures and record video in camera,
      playback recorded video.
Test: Connect to BT headset and ensure audio plays back.
Test: OTA sideload using recovery
Test: CTS SELinuxHostTest pass

Change-Id: I5e7238ac48fb2ae82194b00e31967ba894500e79
Signed-off-by: Sandeep Patil <sspatil@google.com>

diff --git a/sepolicy/cameraserver.te b/sepolicy/cameraserver.te
index 3bdd0cd..dcd5c79 100644
--- a/sepolicy/cameraserver.te
+++ b/sepolicy/cameraserver.te

@@ -14,4 +14,5 @@
 r_dir_file(cameraserver, sysfs)
 
 allow cameraserver system_file:dir r_dir_perms;
+allow cameraserver vendor_file_type:dir r_dir_perms;
 allow cameraserver tmpfs:dir search;

diff --git a/sepolicy/device_domain_deprecated.te b/sepolicy/device_domain_deprecated.te
index bbe0b71..c74fc2b 100644
--- a/sepolicy/device_domain_deprecated.te
+++ b/sepolicy/device_domain_deprecated.te

@@ -8,6 +8,9 @@
 allow device_domain_deprecated system_file:dir r_dir_perms;
 allow device_domain_deprecated system_file:file r_file_perms;
 allow device_domain_deprecated system_file:lnk_file r_file_perms;
+allow device_domain_deprecated vendor_file_type:dir r_dir_perms;
+allow device_domain_deprecated vendor_file_type:file r_file_perms;
+allow device_domain_deprecated vendor_file_type:lnk_file r_file_perms;
 allow device_domain_deprecated system_data_file:file { getattr read };
 allow device_domain_deprecated system_data_file:lnk_file r_file_perms;
 allow device_domain_deprecated apk_data_file:dir { getattr search };

diff --git a/sepolicy/mediacodec.te b/sepolicy/mediacodec.te
index 654d832..7c49f44 100644
--- a/sepolicy/mediacodec.te
+++ b/sepolicy/mediacodec.te

@@ -1,4 +1,5 @@
 allow mediacodec sysfs:file r_file_perms;
 allow mediacodec system_file:dir r_dir_perms;
+allow mediacodec vendor_file_type:dir r_dir_perms;
 allow mediacodec device:dir r_dir_perms;
 allow mediacodec host1x_device:chr_file rw_file_perms;