commit 8d73989eb3a5c4ad1c2c9b4455b9546d52cade42
author Inseob Kim <inseob@google.com> Wed Jul 26 13:35:54 2023 +0000
committer Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Wed Jul 26 13:35:54 2023 +0000
tree 381134fa13c296aaf887c15d27f05fb1fa57b1d3
parent ba4c95392d95efbaf11b73228b5a791e001ae062
parent fb13a306cdf001cd462273b81d5e30f8eb798b0c

Give priority to platform side seapp_contexts am: 51fde66c16 am: 85561b366a am: fb13a306cd

Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2671235

Change-Id: Ia7b8018f817eb15fd15040ad90fd2df83399f10f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

libselinux/src/android/android_seapp.c

diff --git a/libselinux/src/android/android_seapp.c b/libselinux/src/android/android_seapp.c
index c0f6eb2..7e847a8 100644
--- a/libselinux/src/android/android_seapp.c
+++ b/libselinux/src/android/android_seapp.c
@@ -164,6 +164,15 @@
 	free(s->level);
 }
 
+static bool is_platform(const char *partition) {
+	// system, system_ext, product are regarded as "platform", whereas vendor
+	// and odm are regarded as vendor.
+	if (strcmp(partition, "system") == 0) return true;
+	if (strcmp(partition, "system_ext") == 0) return true;
+	if (strcmp(partition, "product") == 0) return true;
+	return false;
+}
+
 /* Compare two seapp_context. Used to sort all the entries found. */
 static int seapp_context_cmp(const void *A, const void *B)
 {
@@ -234,6 +243,12 @@
 	if (s1->fromRunAs != s2->fromRunAs)
 		return (s1->fromRunAs ? -1 : 1);
 
+	/* Give precedence to platform side contexts */
+	bool isS1Platform = is_platform(s1->partition);
+	bool isS2Platform = is_platform(s2->partition);
+	if (isS1Platform != isS2Platform)
+		return (isS1Platform ? -1 : 1);
+
 	/* Anything else has equal precedence. */
 	return 0;
 }
@@ -574,6 +589,8 @@
 					selinux_log(SELINUX_ERROR, " seinfo=%s\n", s1->seinfo);
 				if (s1->name.str)
 					selinux_log(SELINUX_ERROR, " name=%s\n", s1->name.str);
+				if (s1->partition)
+					selinux_log(SELINUX_ERROR, " partition=%s\n", s1->partition);
 				goto err_no_log;
 			}
 		}
@@ -693,15 +710,6 @@
 	return true;
 }
 
-static bool is_platform(const char *partition) {
-	// system, system_ext, product are regarded as "platform", whereas vendor
-	// and odm are regarded as vendor.
-	if (strcmp(partition, "system") == 0) return true;
-	if (strcmp(partition, "system_ext") == 0) return true;
-	if (strcmp(partition, "product") == 0) return true;
-	return false;
-}
-
 static bool is_preinstalled_app_partition_valid(const char *app_policy, const char *app_partition) {
 	// We forbid system/system_ext/product installed apps from being labeled with vendor sepolicy.
 	// So, either the app shouldn't be platform, or the spec should be platform.