Merge "Add odm sepolicy support to SELinuxMMAC.java"

am: a0c52a8ace Change-Id: I5cc7ab8916901e1b3622a17676debe023578f1eb
2017-12-06 10:11:10 +00:00
parent da23b08c6c a0c52a8ace
commit 5f2f65239b
1 changed files with 43 additions and 13 deletions
--- a/services/core/java/com/android/server/pm/SELinuxMMAC.java
+++ b/services/core/java/com/android/server/pm/SELinuxMMAC.java
@@ -60,10 +60,8 @@ public final class SELinuxMMAC {
    // to synchronize access during policy load and access attempts.
    private static List<Policy> sPolicies = new ArrayList<>();

-    /** Path to MAC permissions on system image */
-    private static final File[] MAC_PERMISSIONS =
-    { new File(Environment.getRootDirectory(), "/etc/selinux/plat_mac_permissions.xml"),
-      new File(Environment.getVendorDirectory(), "/etc/selinux/nonplat_mac_permissions.xml") };
+    // Required MAC permissions files.
+    private static List<File> sMacPermissions = new ArrayList<>();

    // Append privapp to existing seinfo label
    private static final String PRIVILEGED_APP_STR = ":privapp";
@@ -76,11 +74,11 @@ public final class SELinuxMMAC {

    /**
     * Load the mac_permissions.xml file containing all seinfo assignments used to
-     * label apps. The loaded mac_permissions.xml file is determined by the
-     * MAC_PERMISSIONS class variable which is set at class load time which itself
-     * is based on the USE_OVERRIDE_POLICY class variable. For further guidance on
+     * label apps. The loaded mac_permissions.xml files are plat_mac_permissions.xml and
+     * vendor_mac_permissions.xml, on /system and /vendor partitions, respectively.
+     * odm_mac_permissions.xml on /odm partition is optional. For further guidance on
     * the proper structure of a mac_permissions.xml file consult the source code
-     * located at system/sepolicy/mac_permissions.xml.
+     * located at system/sepolicy/private/mac_permissions.xml.
     *
     * @return boolean indicating if policy was correctly loaded. A value of false
     *         typically indicates a structural problem with the xml or incorrectly
@@ -93,10 +91,42 @@ public final class SELinuxMMAC {

        FileReader policyFile = null;
        XmlPullParser parser = Xml.newPullParser();
-        for (int i = 0; i < MAC_PERMISSIONS.length; i++) {
+
+        synchronized (sMacPermissions) {
+            // Only initialize it once.
+            if (sMacPermissions.isEmpty()) {
+                // Platform mac permissions.
+                sMacPermissions.add(new File(
+                    Environment.getRootDirectory(), "/etc/selinux/plat_mac_permissions.xml"));
+
+                // Vendor mac permissions.
+                // The filename has been renamed from nonplat_mac_permissions to
+                // vendor_mac_permissions. Either of them should exist.
+                File vendorMacPermission = new File(
+                    Environment.getVendorDirectory(), "/etc/selinux/vendor_mac_permissions.xml");
+                if (vendorMacPermission.exists()) {
+                    sMacPermissions.add(vendorMacPermission);
+                } else {
+                    // For backward compatibility.
+                    sMacPermissions.add(new File(Environment.getVendorDirectory(),
+                                                 "/etc/selinux/nonplat_mac_permissions.xml"));
+                }
+
+                // ODM mac permissions (optional).
+                File odmMacPermission = new File(
+                    Environment.getOdmDirectory(), "/etc/selinux/odm_mac_permissions.xml");
+                if (odmMacPermission.exists()) {
+                    sMacPermissions.add(odmMacPermission);
+                }
+            }
+        }
+
+        final int count = sMacPermissions.size();
+        for (int i = 0; i < count; ++i) {
+            File macPermission = sMacPermissions.get(i);
            try {
-                policyFile = new FileReader(MAC_PERMISSIONS[i]);
-                Slog.d(TAG, "Using policy file " + MAC_PERMISSIONS[i]);
+                policyFile = new FileReader(macPermission);
+                Slog.d(TAG, "Using policy file " + macPermission);

                parser.setInput(policyFile);
                parser.nextTag();
@@ -120,13 +150,13 @@ public final class SELinuxMMAC {
                StringBuilder sb = new StringBuilder("Exception @");
                sb.append(parser.getPositionDescription());
                sb.append(" while parsing ");
-                sb.append(MAC_PERMISSIONS[i]);
+                sb.append(macPermission);
                sb.append(":");
                sb.append(ex);
                Slog.w(TAG, sb.toString());
                return false;
            } catch (IOException ioe) {
-                Slog.w(TAG, "Exception parsing " + MAC_PERMISSIONS[i], ioe);
+                Slog.w(TAG, "Exception parsing " + macPermission, ioe);
                return false;
            } finally {
                IoUtils.closeQuietly(policyFile);