Commit 61f8dfa2 authored Jun 13, 2017 by Kouji Shiotani Committed by Martijn Coenen Jun 20, 2017

Avoid SELinux violation at vndservicemanager

Avoid following SELinux violation.

avc: denied { read } for comm="vndservicemanag"
name="nonplat_service_contexts" dev="rootfs" ino=17045
scontext=u:r:vndservicemanager:s0
tcontext=u:object_r:service_contexts_file:s0 tclass=file permissive=0
ppid=1 pcomm="init" pgid=1 pgcomm="init"

This violation caused by vndservicemanager reading service_contexts at
svcmgr_handler(). In main() loading as well, processing is divided by
the VENDORSERVICEMANAGER flag. Therefore, even in svcmgr_handler(),
processing is divided by flags like main().

Bug: 62562415
Test: mma
Change-Id: I06b0308a80fc6ea1ca57cd10d9555dd269b8e12d

parent e86f70b4

cmds/servicemanager/service_manager.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -287,7 +287,11 @@ int svcmgr_handler(struct binder_state *bs,
		}

		if (sehandle && selinux_status_updated() > 0) {
		#ifdef VENDORSERVICEMANAGER
		struct selabel_handle *tmp_sehandle = selinux_android_vendor_service_context_handle();
		#else
		struct selabel_handle *tmp_sehandle = selinux_android_service_context_handle();
		#endif
		if (tmp_sehandle) {
		selabel_close(sehandle);
		sehandle = tmp_sehandle;