commit d70c0c82dbe865e778adde9327c7c255b21bff5b
author Sandeep Patil <sspatil@google.com> Sat Apr 01 11:41:24 2017 -0700
committer Sandeep Patil <sspatil@google.com> Wed Apr 05 14:00:12 2017 -0700
tree b8198a1b917974d668cc7c273c6f4e223dc434e2
parent 22100c12d379b0ee3638efc00dbd4d0957a51c46

vendor: ensure all non-treble devices get same access to /vendor

Make sure vendor_file is added everywhere system_file access is granted
to vendor processes. This guarantees non-treble device policy is not
altered (made stricter) in any way after the relabeling.

Bug: 36527360

All test were run on Bullhead.
Test: Boot and connect to wifi
Test: Run chrome and load websites, play video in youtube, load maps w/
      current location, take pictures and record video in camera,
      playback recorded video.
Test: Connect to BT headset and ensure audio plays back.
Test: OTA sideload using recovery
Test: CTS SELinuxHostTest pass

Change-Id: I5a28c4a6da2296db312e30686c07e3d27e8963da
Signed-off-by: Sandeep Patil <sspatil@google.com>

sepolicy/device_domain_deprecated.te

diff --git a/sepolicy/device_domain_deprecated.te b/sepolicy/device_domain_deprecated.te
index bbe0b71..c74fc2b 100644
--- a/sepolicy/device_domain_deprecated.te
+++ b/sepolicy/device_domain_deprecated.te
@@ -8,6 +8,9 @@
 allow device_domain_deprecated system_file:dir r_dir_perms;
 allow device_domain_deprecated system_file:file r_file_perms;
 allow device_domain_deprecated system_file:lnk_file r_file_perms;
+allow device_domain_deprecated vendor_file_type:dir r_dir_perms;
+allow device_domain_deprecated vendor_file_type:file r_file_perms;
+allow device_domain_deprecated vendor_file_type:lnk_file r_file_perms;
 allow device_domain_deprecated system_data_file:file { getattr read };
 allow device_domain_deprecated system_data_file:lnk_file r_file_perms;
 allow device_domain_deprecated apk_data_file:dir { getattr search };

sepolicy/ims.te

diff --git a/sepolicy/ims.te b/sepolicy/ims.te
index 75b6b54..6368c40 100644
--- a/sepolicy/ims.te
+++ b/sepolicy/ims.te
@@ -32,6 +32,7 @@
 
 # Runs /system/bin/ndc
 allow ims system_file:file rx_file_perms;
+allow ims vendor_file_type:file rx_file_perms;
 
 # address qualcomm proprietary binary denials
 allow ims self:netlink_socket create_socket_perms_no_ioctl;

sepolicy/netmgrd.te

diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
index b752060..aa6286f 100644
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -26,6 +26,7 @@
 
 # Runs /system/bin/toolbox
 allow netmgrd system_file:file rx_file_perms;
+allow netmgrd vendor_file_type:file rx_file_perms;
 
 allow netmgrd self:netlink_socket create_socket_perms_no_ioctl;
 allow netmgrd self:netlink_route_socket nlmsg_write;