Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fffa6d23 authored by kaichieh's avatar kaichieh Committed by Bowgo Tsai
Browse files

Add odm sepolicy support to SELinuxMMAC.java 

Currently there are two mac permission files:
    - /system/etc/selinux/plat_mac_permissions.xml
    - /vendor/etc/selinux/nonplat_mac_permissions.xml

The change renames nonplat_mac_permissions.xml to vendor_mac_permissions.xml.
It also adds odm_mac_permissions.xml but allows it to be optional:
    - /system/etc/selinux/plat_mac_permissions.xml
    - /vendor/etc/selinux/vendor_mac_permissions.xml
    - /odm/etc/selinux/odm_mac_permissions.xml (optional)

Also cleans up comments to reflect the change.

Bug: 64240127
Test: boot sailfish normally without odm
Test: boot another device having odm
Change-Id: I9c8cb6feb9ee51d6fe83e324bc05aebaa10b4a24
parent e72b6f0d

services/core/java/com/android/server/pm/SELinuxMMAC.java

+43 −13
Original line number Diff line number Diff line
@@ -60,10 +60,8 @@ public final class SELinuxMMAC { 
    // to synchronize access during policy load and access attempts.

    private static List<Policy> sPolicies = new ArrayList<>();



    /** Path to MAC permissions on system image */

    private static final File[] MAC_PERMISSIONS =

    { new File(Environment.getRootDirectory(), "/etc/selinux/plat_mac_permissions.xml"),

      new File(Environment.getVendorDirectory(), "/etc/selinux/nonplat_mac_permissions.xml") };

    // Required MAC permissions files.

    private static List<File> sMacPermissions = new ArrayList<>();



    // Append privapp to existing seinfo label

    private static final String PRIVILEGED_APP_STR = ":privapp";
@@ -76,11 +74,11 @@ public final class SELinuxMMAC { 


    /**

     * Load the mac_permissions.xml file containing all seinfo assignments used to

     * label apps. The loaded mac_permissions.xml file is determined by the

     * MAC_PERMISSIONS class variable which is set at class load time which itself

     * is based on the USE_OVERRIDE_POLICY class variable. For further guidance on

     * label apps. The loaded mac_permissions.xml files are plat_mac_permissions.xml and

     * vendor_mac_permissions.xml, on /system and /vendor partitions, respectively.

     * odm_mac_permissions.xml on /odm partition is optional. For further guidance on

     * the proper structure of a mac_permissions.xml file consult the source code

     * located at system/sepolicy/mac_permissions.xml.

     * located at system/sepolicy/private/mac_permissions.xml.

     *

     * @return boolean indicating if policy was correctly loaded. A value of false

     *         typically indicates a structural problem with the xml or incorrectly
@@ -93,10 +91,42 @@ public final class SELinuxMMAC { 


        FileReader policyFile = null;

        XmlPullParser parser = Xml.newPullParser();

        for (int i = 0; i < MAC_PERMISSIONS.length; i++) {



        synchronized (sMacPermissions) {

            // Only initialize it once.

            if (sMacPermissions.isEmpty()) {

                // Platform mac permissions.

                sMacPermissions.add(new File(

                    Environment.getRootDirectory(), "/etc/selinux/plat_mac_permissions.xml"));



                // Vendor mac permissions.

                // The filename has been renamed from nonplat_mac_permissions to

                // vendor_mac_permissions. Either of them should exist.

                File vendorMacPermission = new File(

                    Environment.getVendorDirectory(), "/etc/selinux/vendor_mac_permissions.xml");

                if (vendorMacPermission.exists()) {

                    sMacPermissions.add(vendorMacPermission);

                } else {

                    // For backward compatibility.

                    sMacPermissions.add(new File(Environment.getVendorDirectory(),

                                                 "/etc/selinux/nonplat_mac_permissions.xml"));

                }



                // ODM mac permissions (optional).

                File odmMacPermission = new File(

                    Environment.getOdmDirectory(), "/etc/selinux/odm_mac_permissions.xml");

                if (odmMacPermission.exists()) {

                    sMacPermissions.add(odmMacPermission);

                }

            }

        }



        final int count = sMacPermissions.size();

        for (int i = 0; i < count; ++i) {

            File macPermission = sMacPermissions.get(i);

            try {

                policyFile = new FileReader(MAC_PERMISSIONS[i]);

                Slog.d(TAG, "Using policy file " + MAC_PERMISSIONS[i]);

                policyFile = new FileReader(macPermission);

                Slog.d(TAG, "Using policy file " + macPermission);



                parser.setInput(policyFile);

                parser.nextTag();
@@ -120,13 +150,13 @@ public final class SELinuxMMAC { 
                StringBuilder sb = new StringBuilder("Exception @");

                sb.append(parser.getPositionDescription());

                sb.append(" while parsing ");

                sb.append(MAC_PERMISSIONS[i]);

                sb.append(macPermission);

                sb.append(":");

                sb.append(ex);

                Slog.w(TAG, sb.toString());

                return false;

            } catch (IOException ioe) {

                Slog.w(TAG, "Exception parsing " + MAC_PERMISSIONS[i], ioe);

                Slog.w(TAG, "Exception parsing " + macPermission, ioe);

                return false;

            } finally {

                IoUtils.closeQuietly(policyFile);