Loading services/core/java/com/android/server/pm/SELinuxMMAC.java +41 −13 Original line number Diff line number Diff line Loading @@ -60,10 +60,8 @@ public final class SELinuxMMAC { // to synchronize access during policy load and access attempts. private static List<Policy> sPolicies = new ArrayList<>(); /** Path to MAC permissions on system image */ private static final File[] MAC_PERMISSIONS = { new File(Environment.getRootDirectory(), "/etc/selinux/plat_mac_permissions.xml"), new File(Environment.getVendorDirectory(), "/etc/selinux/nonplat_mac_permissions.xml") }; /** Required MAC permissions files */ private static List<File> sMacPermissions = new ArrayList<>(); // Append privapp to existing seinfo label private static final String PRIVILEGED_APP_STR = ":privapp"; Loading @@ -74,13 +72,40 @@ public final class SELinuxMMAC { // Append targetSdkVersion=n to existing seinfo label where n is the app's targetSdkVersion private static final String TARGETSDKVERSION_STR = ":targetSdkVersion="; // Only initialize sMacPermissions once. static { // Platform mac permissions. sMacPermissions.add(new File( Environment.getRootDirectory(), "/etc/selinux/plat_mac_permissions.xml")); // Vendor mac permissions. // The filename has been renamed from nonplat_mac_permissions to // vendor_mac_permissions. Either of them should exist. final File vendorMacPermission = new File( Environment.getVendorDirectory(), "/etc/selinux/vendor_mac_permissions.xml"); if (vendorMacPermission.exists()) { sMacPermissions.add(vendorMacPermission); } else { // For backward compatibility. sMacPermissions.add(new File(Environment.getVendorDirectory(), "/etc/selinux/nonplat_mac_permissions.xml")); } // ODM mac permissions (optional). final File odmMacPermission = new File( Environment.getOdmDirectory(), "/etc/selinux/odm_mac_permissions.xml"); if (odmMacPermission.exists()) { sMacPermissions.add(odmMacPermission); } } /** * Load the mac_permissions.xml file containing all seinfo assignments used to * label apps. The loaded mac_permissions.xml file is determined by the * MAC_PERMISSIONS class variable which is set at class load time which itself * is based on the USE_OVERRIDE_POLICY class variable. For further guidance on * label apps. The loaded mac_permissions.xml files are plat_mac_permissions.xml and * vendor_mac_permissions.xml, on /system and /vendor partitions, respectively. * odm_mac_permissions.xml on /odm partition is optional. For further guidance on * the proper structure of a mac_permissions.xml file consult the source code * located at system/sepolicy/mac_permissions.xml. * located at system/sepolicy/private/mac_permissions.xml. * * @return boolean indicating if policy was correctly loaded. A value of false * typically indicates a structural problem with the xml or incorrectly Loading @@ -93,10 +118,13 @@ public final class SELinuxMMAC { FileReader policyFile = null; XmlPullParser parser = Xml.newPullParser(); for (int i = 0; i < MAC_PERMISSIONS.length; i++) { final int count = sMacPermissions.size(); for (int i = 0; i < count; ++i) { final File macPermission = sMacPermissions.get(i); try { policyFile = new FileReader(MAC_PERMISSIONS[i]); Slog.d(TAG, "Using policy file " + MAC_PERMISSIONS[i]); policyFile = new FileReader(macPermission); Slog.d(TAG, "Using policy file " + macPermission); parser.setInput(policyFile); parser.nextTag(); Loading @@ -120,13 +148,13 @@ public final class SELinuxMMAC { StringBuilder sb = new StringBuilder("Exception @"); sb.append(parser.getPositionDescription()); sb.append(" while parsing "); sb.append(MAC_PERMISSIONS[i]); sb.append(macPermission); sb.append(":"); sb.append(ex); Slog.w(TAG, sb.toString()); return false; } catch (IOException ioe) { Slog.w(TAG, "Exception parsing " + MAC_PERMISSIONS[i], ioe); Slog.w(TAG, "Exception parsing " + macPermission, ioe); return false; } finally { IoUtils.closeQuietly(policyFile); Loading Loading
services/core/java/com/android/server/pm/SELinuxMMAC.java +41 −13 Original line number Diff line number Diff line Loading @@ -60,10 +60,8 @@ public final class SELinuxMMAC { // to synchronize access during policy load and access attempts. private static List<Policy> sPolicies = new ArrayList<>(); /** Path to MAC permissions on system image */ private static final File[] MAC_PERMISSIONS = { new File(Environment.getRootDirectory(), "/etc/selinux/plat_mac_permissions.xml"), new File(Environment.getVendorDirectory(), "/etc/selinux/nonplat_mac_permissions.xml") }; /** Required MAC permissions files */ private static List<File> sMacPermissions = new ArrayList<>(); // Append privapp to existing seinfo label private static final String PRIVILEGED_APP_STR = ":privapp"; Loading @@ -74,13 +72,40 @@ public final class SELinuxMMAC { // Append targetSdkVersion=n to existing seinfo label where n is the app's targetSdkVersion private static final String TARGETSDKVERSION_STR = ":targetSdkVersion="; // Only initialize sMacPermissions once. static { // Platform mac permissions. sMacPermissions.add(new File( Environment.getRootDirectory(), "/etc/selinux/plat_mac_permissions.xml")); // Vendor mac permissions. // The filename has been renamed from nonplat_mac_permissions to // vendor_mac_permissions. Either of them should exist. final File vendorMacPermission = new File( Environment.getVendorDirectory(), "/etc/selinux/vendor_mac_permissions.xml"); if (vendorMacPermission.exists()) { sMacPermissions.add(vendorMacPermission); } else { // For backward compatibility. sMacPermissions.add(new File(Environment.getVendorDirectory(), "/etc/selinux/nonplat_mac_permissions.xml")); } // ODM mac permissions (optional). final File odmMacPermission = new File( Environment.getOdmDirectory(), "/etc/selinux/odm_mac_permissions.xml"); if (odmMacPermission.exists()) { sMacPermissions.add(odmMacPermission); } } /** * Load the mac_permissions.xml file containing all seinfo assignments used to * label apps. The loaded mac_permissions.xml file is determined by the * MAC_PERMISSIONS class variable which is set at class load time which itself * is based on the USE_OVERRIDE_POLICY class variable. For further guidance on * label apps. The loaded mac_permissions.xml files are plat_mac_permissions.xml and * vendor_mac_permissions.xml, on /system and /vendor partitions, respectively. * odm_mac_permissions.xml on /odm partition is optional. For further guidance on * the proper structure of a mac_permissions.xml file consult the source code * located at system/sepolicy/mac_permissions.xml. * located at system/sepolicy/private/mac_permissions.xml. * * @return boolean indicating if policy was correctly loaded. A value of false * typically indicates a structural problem with the xml or incorrectly Loading @@ -93,10 +118,13 @@ public final class SELinuxMMAC { FileReader policyFile = null; XmlPullParser parser = Xml.newPullParser(); for (int i = 0; i < MAC_PERMISSIONS.length; i++) { final int count = sMacPermissions.size(); for (int i = 0; i < count; ++i) { final File macPermission = sMacPermissions.get(i); try { policyFile = new FileReader(MAC_PERMISSIONS[i]); Slog.d(TAG, "Using policy file " + MAC_PERMISSIONS[i]); policyFile = new FileReader(macPermission); Slog.d(TAG, "Using policy file " + macPermission); parser.setInput(policyFile); parser.nextTag(); Loading @@ -120,13 +148,13 @@ public final class SELinuxMMAC { StringBuilder sb = new StringBuilder("Exception @"); sb.append(parser.getPositionDescription()); sb.append(" while parsing "); sb.append(MAC_PERMISSIONS[i]); sb.append(macPermission); sb.append(":"); sb.append(ex); Slog.w(TAG, sb.toString()); return false; } catch (IOException ioe) { Slog.w(TAG, "Exception parsing " + MAC_PERMISSIONS[i], ioe); Slog.w(TAG, "Exception parsing " + macPermission, ioe); return false; } finally { IoUtils.closeQuietly(policyFile); Loading
