Loading services/core/java/com/android/server/pm/SELinuxMMAC.java +43 −13 Original line number Diff line number Diff line Loading @@ -60,10 +60,8 @@ public final class SELinuxMMAC { // to synchronize access during policy load and access attempts. private static List<Policy> sPolicies = new ArrayList<>(); /** Path to MAC permissions on system image */ private static final File[] MAC_PERMISSIONS = { new File(Environment.getRootDirectory(), "/etc/selinux/plat_mac_permissions.xml"), new File(Environment.getVendorDirectory(), "/etc/selinux/nonplat_mac_permissions.xml") }; // Required MAC permissions files. private static List<File> sMacPermissions = new ArrayList<>(); // Append privapp to existing seinfo label private static final String PRIVILEGED_APP_STR = ":privapp"; Loading @@ -76,11 +74,11 @@ public final class SELinuxMMAC { /** * Load the mac_permissions.xml file containing all seinfo assignments used to * label apps. The loaded mac_permissions.xml file is determined by the * MAC_PERMISSIONS class variable which is set at class load time which itself * is based on the USE_OVERRIDE_POLICY class variable. For further guidance on * label apps. The loaded mac_permissions.xml files are plat_mac_permissions.xml and * vendor_mac_permissions.xml, on /system and /vendor partitions, respectively. * odm_mac_permissions.xml on /odm partition is optional. For further guidance on * the proper structure of a mac_permissions.xml file consult the source code * located at system/sepolicy/mac_permissions.xml. * located at system/sepolicy/private/mac_permissions.xml. * * @return boolean indicating if policy was correctly loaded. A value of false * typically indicates a structural problem with the xml or incorrectly Loading @@ -93,10 +91,42 @@ public final class SELinuxMMAC { FileReader policyFile = null; XmlPullParser parser = Xml.newPullParser(); for (int i = 0; i < MAC_PERMISSIONS.length; i++) { synchronized (sMacPermissions) { // Only initialize it once. if (sMacPermissions.isEmpty()) { // Platform mac permissions. sMacPermissions.add(new File( Environment.getRootDirectory(), "/etc/selinux/plat_mac_permissions.xml")); // Vendor mac permissions. // The filename has been renamed from nonplat_mac_permissions to // vendor_mac_permissions. Either of them should exist. File vendorMacPermission = new File( Environment.getVendorDirectory(), "/etc/selinux/vendor_mac_permissions.xml"); if (vendorMacPermission.exists()) { sMacPermissions.add(vendorMacPermission); } else { // For backward compatibility. sMacPermissions.add(new File(Environment.getVendorDirectory(), "/etc/selinux/nonplat_mac_permissions.xml")); } // ODM mac permissions (optional). File odmMacPermission = new File( Environment.getOdmDirectory(), "/etc/selinux/odm_mac_permissions.xml"); if (odmMacPermission.exists()) { sMacPermissions.add(odmMacPermission); } } } final int count = sMacPermissions.size(); for (int i = 0; i < count; ++i) { File macPermission = sMacPermissions.get(i); try { policyFile = new FileReader(MAC_PERMISSIONS[i]); Slog.d(TAG, "Using policy file " + MAC_PERMISSIONS[i]); policyFile = new FileReader(macPermission); Slog.d(TAG, "Using policy file " + macPermission); parser.setInput(policyFile); parser.nextTag(); Loading @@ -120,13 +150,13 @@ public final class SELinuxMMAC { StringBuilder sb = new StringBuilder("Exception @"); sb.append(parser.getPositionDescription()); sb.append(" while parsing "); sb.append(MAC_PERMISSIONS[i]); sb.append(macPermission); sb.append(":"); sb.append(ex); Slog.w(TAG, sb.toString()); return false; } catch (IOException ioe) { Slog.w(TAG, "Exception parsing " + MAC_PERMISSIONS[i], ioe); Slog.w(TAG, "Exception parsing " + macPermission, ioe); return false; } finally { IoUtils.closeQuietly(policyFile); Loading Loading
services/core/java/com/android/server/pm/SELinuxMMAC.java +43 −13 Original line number Diff line number Diff line Loading @@ -60,10 +60,8 @@ public final class SELinuxMMAC { // to synchronize access during policy load and access attempts. private static List<Policy> sPolicies = new ArrayList<>(); /** Path to MAC permissions on system image */ private static final File[] MAC_PERMISSIONS = { new File(Environment.getRootDirectory(), "/etc/selinux/plat_mac_permissions.xml"), new File(Environment.getVendorDirectory(), "/etc/selinux/nonplat_mac_permissions.xml") }; // Required MAC permissions files. private static List<File> sMacPermissions = new ArrayList<>(); // Append privapp to existing seinfo label private static final String PRIVILEGED_APP_STR = ":privapp"; Loading @@ -76,11 +74,11 @@ public final class SELinuxMMAC { /** * Load the mac_permissions.xml file containing all seinfo assignments used to * label apps. The loaded mac_permissions.xml file is determined by the * MAC_PERMISSIONS class variable which is set at class load time which itself * is based on the USE_OVERRIDE_POLICY class variable. For further guidance on * label apps. The loaded mac_permissions.xml files are plat_mac_permissions.xml and * vendor_mac_permissions.xml, on /system and /vendor partitions, respectively. * odm_mac_permissions.xml on /odm partition is optional. For further guidance on * the proper structure of a mac_permissions.xml file consult the source code * located at system/sepolicy/mac_permissions.xml. * located at system/sepolicy/private/mac_permissions.xml. * * @return boolean indicating if policy was correctly loaded. A value of false * typically indicates a structural problem with the xml or incorrectly Loading @@ -93,10 +91,42 @@ public final class SELinuxMMAC { FileReader policyFile = null; XmlPullParser parser = Xml.newPullParser(); for (int i = 0; i < MAC_PERMISSIONS.length; i++) { synchronized (sMacPermissions) { // Only initialize it once. if (sMacPermissions.isEmpty()) { // Platform mac permissions. sMacPermissions.add(new File( Environment.getRootDirectory(), "/etc/selinux/plat_mac_permissions.xml")); // Vendor mac permissions. // The filename has been renamed from nonplat_mac_permissions to // vendor_mac_permissions. Either of them should exist. File vendorMacPermission = new File( Environment.getVendorDirectory(), "/etc/selinux/vendor_mac_permissions.xml"); if (vendorMacPermission.exists()) { sMacPermissions.add(vendorMacPermission); } else { // For backward compatibility. sMacPermissions.add(new File(Environment.getVendorDirectory(), "/etc/selinux/nonplat_mac_permissions.xml")); } // ODM mac permissions (optional). File odmMacPermission = new File( Environment.getOdmDirectory(), "/etc/selinux/odm_mac_permissions.xml"); if (odmMacPermission.exists()) { sMacPermissions.add(odmMacPermission); } } } final int count = sMacPermissions.size(); for (int i = 0; i < count; ++i) { File macPermission = sMacPermissions.get(i); try { policyFile = new FileReader(MAC_PERMISSIONS[i]); Slog.d(TAG, "Using policy file " + MAC_PERMISSIONS[i]); policyFile = new FileReader(macPermission); Slog.d(TAG, "Using policy file " + macPermission); parser.setInput(policyFile); parser.nextTag(); Loading @@ -120,13 +150,13 @@ public final class SELinuxMMAC { StringBuilder sb = new StringBuilder("Exception @"); sb.append(parser.getPositionDescription()); sb.append(" while parsing "); sb.append(MAC_PERMISSIONS[i]); sb.append(macPermission); sb.append(":"); sb.append(ex); Slog.w(TAG, sb.toString()); return false; } catch (IOException ioe) { Slog.w(TAG, "Exception parsing " + MAC_PERMISSIONS[i], ioe); Slog.w(TAG, "Exception parsing " + macPermission, ioe); return false; } finally { IoUtils.closeQuietly(policyFile); Loading
