From b1cc4f8ca4202556d41e48cd7b0bb0559ea4b182 Mon Sep 17 00:00:00 2001 From: dcashman Date: Wed, 14 Dec 2016 13:46:05 -0800 Subject: [PATCH] Split mac_permissions.xml into plat and non-plat components. Bug: 31363362 Test: Bullhead and Sailfish both build and boot without new denials. Change-Id: Ic9523ce4b0755d6c585548f4f2b1f00e7000195b --- .../com/android/server/pm/SELinuxMMAC.java | 73 ++++++++++--------- 1 file changed, 38 insertions(+), 35 deletions(-) diff --git a/services/core/java/com/android/server/pm/SELinuxMMAC.java b/services/core/java/com/android/server/pm/SELinuxMMAC.java index 2176eb164b51c..0fe15396fad7a 100644 --- a/services/core/java/com/android/server/pm/SELinuxMMAC.java +++ b/services/core/java/com/android/server/pm/SELinuxMMAC.java @@ -59,8 +59,9 @@ public final class SELinuxMMAC { private static List sPolicies = new ArrayList<>(); /** Path to MAC permissions on system image */ - private static final File MAC_PERMISSIONS = new File(Environment.getRootDirectory(), - "/etc/security/mac_permissions.xml"); + private static final File[] MAC_PERMISSIONS = + { new File(Environment.getRootDirectory(), "/etc/security/plat_mac_permissions.xml"), + new File(Environment.getRootDirectory(), "/etc/security/nonplat_mac_permissions.xml") }; // Append privapp to existing seinfo label private static final String PRIVILEGED_APP_STR = ":privapp"; @@ -87,49 +88,51 @@ public final class SELinuxMMAC { FileReader policyFile = null; XmlPullParser parser = Xml.newPullParser(); - try { - policyFile = new FileReader(MAC_PERMISSIONS); - Slog.d(TAG, "Using policy file " + MAC_PERMISSIONS); + for (int i = 0; i < MAC_PERMISSIONS.length; i++) { + try { + policyFile = new FileReader(MAC_PERMISSIONS[i]); + Slog.d(TAG, "Using policy file " + MAC_PERMISSIONS[i]); - parser.setInput(policyFile); - parser.nextTag(); - parser.require(XmlPullParser.START_TAG, null, "policy"); + parser.setInput(policyFile); + parser.nextTag(); + parser.require(XmlPullParser.START_TAG, null, "policy"); - while (parser.next() != XmlPullParser.END_TAG) { - if (parser.getEventType() != XmlPullParser.START_TAG) { - continue; - } - - switch (parser.getName()) { - case "signer": - policies.add(readSignerOrThrow(parser)); - break; - default: - skip(parser); + while (parser.next() != XmlPullParser.END_TAG) { + if (parser.getEventType() != XmlPullParser.START_TAG) { + continue; + } + + switch (parser.getName()) { + case "signer": + policies.add(readSignerOrThrow(parser)); + break; + default: + skip(parser); + } } + } catch (IllegalStateException | IllegalArgumentException | + XmlPullParserException ex) { + StringBuilder sb = new StringBuilder("Exception @"); + sb.append(parser.getPositionDescription()); + sb.append(" while parsing "); + sb.append(MAC_PERMISSIONS[i]); + sb.append(":"); + sb.append(ex); + Slog.w(TAG, sb.toString()); + return false; + } catch (IOException ioe) { + Slog.w(TAG, "Exception parsing " + MAC_PERMISSIONS[i], ioe); + return false; + } finally { + IoUtils.closeQuietly(policyFile); } - } catch (IllegalStateException | IllegalArgumentException | - XmlPullParserException ex) { - StringBuilder sb = new StringBuilder("Exception @"); - sb.append(parser.getPositionDescription()); - sb.append(" while parsing "); - sb.append(MAC_PERMISSIONS); - sb.append(":"); - sb.append(ex); - Slog.w(TAG, sb.toString()); - return false; - } catch (IOException ioe) { - Slog.w(TAG, "Exception parsing " + MAC_PERMISSIONS, ioe); - return false; - } finally { - IoUtils.closeQuietly(policyFile); } // Now sort the policy stanzas PolicyComparator policySort = new PolicyComparator(); Collections.sort(policies, policySort); if (policySort.foundDuplicate()) { - Slog.w(TAG, "ERROR! Duplicate entries found parsing " + MAC_PERMISSIONS); + Slog.w(TAG, "ERROR! Duplicate entries found parsing mac_permissions.xml files"); return false; }