sepolicy: make exec_types in /vendor a subset of vendor_file_type
We install all default hal implementations in /vendor/bin/hw along with
a few domains that are defined in vendor policy and installed in
/vendor. These files MUST be a subset of the global 'vendor_file_type'
which is used to address *all files installed in /vendor* throughout the
policy.
Bug: 36463595
Test: Boot sailfish without any new denials
Change-Id: I3d26778f9a26f9095f49d8ecc12f2ec9d2f4cb41
Signed-off-by: Sandeep Patil <sspatil@google.com>
diff --git a/public/mediacodec.te b/public/mediacodec.te
index 721f624..b8cde80 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -1,6 +1,6 @@
# mediacodec - audio and video codecs live here
type mediacodec, domain;
-type mediacodec_exec, exec_type, file_type;
+type mediacodec_exec, exec_type, vendor_file_type, file_type;
typeattribute mediacodec mlstrustedsubject;
diff --git a/vendor/hal_audio_default.te b/vendor/hal_audio_default.te
index 79c0814..a10a6cf 100644
--- a/vendor/hal_audio_default.te
+++ b/vendor/hal_audio_default.te
@@ -1,7 +1,7 @@
type hal_audio_default, domain;
hal_server_domain(hal_audio_default, hal_audio)
-type hal_audio_default_exec, exec_type, file_type;
+type hal_audio_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_audio_default)
hal_client_domain(hal_audio_default, hal_allocator)
diff --git a/vendor/hal_bluetooth_default.te b/vendor/hal_bluetooth_default.te
index e32770d..01d60db 100644
--- a/vendor/hal_bluetooth_default.te
+++ b/vendor/hal_bluetooth_default.te
@@ -1,5 +1,5 @@
type hal_bluetooth_default, domain;
hal_server_domain(hal_bluetooth_default, hal_bluetooth)
-type hal_bluetooth_default_exec, exec_type, file_type;
+type hal_bluetooth_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_bluetooth_default)
diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te
index 9986fb5..ca30e58 100644
--- a/vendor/hal_bootctl_default.te
+++ b/vendor/hal_bootctl_default.te
@@ -2,5 +2,5 @@
type hal_bootctl_default, domain;
hal_server_domain(hal_bootctl_default, hal_bootctl)
-type hal_bootctl_default_exec, exec_type, file_type;
+type hal_bootctl_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_bootctl_default)
diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
index 449f159..60b6a5c 100644
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -1,7 +1,7 @@
type hal_camera_default, domain;
hal_server_domain(hal_camera_default, hal_camera)
-type hal_camera_default_exec, exec_type, file_type;
+type hal_camera_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_camera_default)
# TODO (b/36601397) move hal_camera's data file to
diff --git a/vendor/hal_configstore_default.te b/vendor/hal_configstore_default.te
index e8930ca..cc61a16 100644
--- a/vendor/hal_configstore_default.te
+++ b/vendor/hal_configstore_default.te
@@ -1,5 +1,5 @@
type hal_configstore_default, domain;
hal_server_domain(hal_configstore_default, hal_configstore)
-type hal_configstore_default_exec, exec_type, file_type;
+type hal_configstore_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_configstore_default)
diff --git a/vendor/hal_contexthub_default.te b/vendor/hal_contexthub_default.te
index 67dd530..b29808d 100644
--- a/vendor/hal_contexthub_default.te
+++ b/vendor/hal_contexthub_default.te
@@ -1,5 +1,5 @@
type hal_contexthub_default, domain;
hal_server_domain(hal_contexthub_default, hal_contexthub)
-type hal_contexthub_default_exec, exec_type, file_type;
+type hal_contexthub_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_contexthub_default)
diff --git a/vendor/hal_drm_default.te b/vendor/hal_drm_default.te
index ad1762f..3aeec06 100644
--- a/vendor/hal_drm_default.te
+++ b/vendor/hal_drm_default.te
@@ -1,7 +1,7 @@
type hal_drm_default, domain;
hal_server_domain(hal_drm_default, hal_drm)
-type hal_drm_default_exec, exec_type, file_type;
+type hal_drm_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_drm_default)
allow hal_drm_default mediacodec:fd use;
diff --git a/vendor/hal_dumpstate_default.te b/vendor/hal_dumpstate_default.te
index fa772e1..6fbf40f 100644
--- a/vendor/hal_dumpstate_default.te
+++ b/vendor/hal_dumpstate_default.te
@@ -1,5 +1,5 @@
type hal_dumpstate_default, domain;
hal_server_domain(hal_dumpstate_default, hal_dumpstate)
-type hal_dumpstate_default_exec, exec_type, file_type;
+type hal_dumpstate_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_dumpstate_default)
diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te
index 5f5de7e..322c104 100644
--- a/vendor/hal_fingerprint_default.te
+++ b/vendor/hal_fingerprint_default.te
@@ -1,7 +1,7 @@
type hal_fingerprint_default, domain;
hal_server_domain(hal_fingerprint_default, hal_fingerprint)
-type hal_fingerprint_default_exec, exec_type, file_type;
+type hal_fingerprint_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_fingerprint_default)
# TODO (b/36644492) move hal_fingerprint's data file to
diff --git a/vendor/hal_gatekeeper_default.te b/vendor/hal_gatekeeper_default.te
index d48af16..a3654cc 100644
--- a/vendor/hal_gatekeeper_default.te
+++ b/vendor/hal_gatekeeper_default.te
@@ -1,5 +1,5 @@
type hal_gatekeeper_default, domain;
hal_server_domain(hal_gatekeeper_default, hal_gatekeeper)
-type hal_gatekeeper_default_exec, exec_type, file_type;
+type hal_gatekeeper_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_gatekeeper_default);
diff --git a/vendor/hal_gnss_default.te b/vendor/hal_gnss_default.te
index 18da090..4c40617 100644
--- a/vendor/hal_gnss_default.te
+++ b/vendor/hal_gnss_default.te
@@ -1,7 +1,7 @@
type hal_gnss_default, domain;
hal_server_domain(hal_gnss_default, hal_gnss)
-type hal_gnss_default_exec, exec_type, file_type;
+type hal_gnss_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_gnss_default)
# Read access to system files for HALs in
diff --git a/vendor/hal_graphics_allocator_default.te b/vendor/hal_graphics_allocator_default.te
index f47a604..5afa2b5 100644
--- a/vendor/hal_graphics_allocator_default.te
+++ b/vendor/hal_graphics_allocator_default.te
@@ -1,5 +1,5 @@
type hal_graphics_allocator_default, domain;
hal_server_domain(hal_graphics_allocator_default, hal_graphics_allocator)
-type hal_graphics_allocator_default_exec, exec_type, file_type;
+type hal_graphics_allocator_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_graphics_allocator_default)
diff --git a/vendor/hal_graphics_composer_default.te b/vendor/hal_graphics_composer_default.te
index b65b8fe..47343d9 100644
--- a/vendor/hal_graphics_composer_default.te
+++ b/vendor/hal_graphics_composer_default.te
@@ -1,5 +1,5 @@
type hal_graphics_composer_default, domain;
hal_server_domain(hal_graphics_composer_default, hal_graphics_composer)
-type hal_graphics_composer_default_exec, exec_type, file_type;
+type hal_graphics_composer_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_graphics_composer_default)
diff --git a/vendor/hal_health_default.te b/vendor/hal_health_default.te
index 3add20b..9b2b921 100644
--- a/vendor/hal_health_default.te
+++ b/vendor/hal_health_default.te
@@ -2,5 +2,5 @@
type hal_health_default, domain;
hal_server_domain(hal_health_default, hal_health)
-type hal_health_default_exec, exec_type, file_type;
+type hal_health_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_health_default)
diff --git a/vendor/hal_ir_default.te b/vendor/hal_ir_default.te
index e43bf07..943aab0 100644
--- a/vendor/hal_ir_default.te
+++ b/vendor/hal_ir_default.te
@@ -1,5 +1,5 @@
type hal_ir_default, domain;
hal_server_domain(hal_ir_default, hal_ir)
-type hal_ir_default_exec, exec_type, file_type;
+type hal_ir_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_ir_default)
diff --git a/vendor/hal_keymaster_default.te b/vendor/hal_keymaster_default.te
index 32df262..82a5a20 100644
--- a/vendor/hal_keymaster_default.te
+++ b/vendor/hal_keymaster_default.te
@@ -1,5 +1,5 @@
type hal_keymaster_default, domain;
hal_server_domain(hal_keymaster_default, hal_keymaster)
-type hal_keymaster_default_exec, exec_type, file_type;
+type hal_keymaster_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_keymaster_default)
diff --git a/vendor/hal_light_default.te b/vendor/hal_light_default.te
index 8c1bfb6..c7fa9a1 100644
--- a/vendor/hal_light_default.te
+++ b/vendor/hal_light_default.te
@@ -1,5 +1,5 @@
type hal_light_default, domain;
hal_server_domain(hal_light_default, hal_light)
-type hal_light_default_exec, exec_type, file_type;
+type hal_light_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_light_default)
diff --git a/vendor/hal_memtrack_default.te b/vendor/hal_memtrack_default.te
index 0e3ba21..c547699 100644
--- a/vendor/hal_memtrack_default.te
+++ b/vendor/hal_memtrack_default.te
@@ -1,5 +1,5 @@
type hal_memtrack_default, domain;
hal_server_domain(hal_memtrack_default, hal_memtrack)
-type hal_memtrack_default_exec, exec_type, file_type;
+type hal_memtrack_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_memtrack_default)
diff --git a/vendor/hal_nfc_default.te b/vendor/hal_nfc_default.te
index a906d97..2f1c092 100644
--- a/vendor/hal_nfc_default.te
+++ b/vendor/hal_nfc_default.te
@@ -1,7 +1,7 @@
type hal_nfc_default, domain;
hal_server_domain(hal_nfc_default, hal_nfc)
-type hal_nfc_default_exec, exec_type, file_type;
+type hal_nfc_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_nfc_default)
# TODO (b/36645109) Remove hal_nfc's access to the nfc app's
diff --git a/vendor/hal_power_default.te b/vendor/hal_power_default.te
index 47065ea..3be4f22 100644
--- a/vendor/hal_power_default.te
+++ b/vendor/hal_power_default.te
@@ -1,5 +1,5 @@
type hal_power_default, domain;
hal_server_domain(hal_power_default, hal_power)
-type hal_power_default_exec, exec_type, file_type;
+type hal_power_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_power_default)
diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te
index b4c9a86..5ba4aab 100644
--- a/vendor/hal_sensors_default.te
+++ b/vendor/hal_sensors_default.te
@@ -1,5 +1,5 @@
type hal_sensors_default, domain;
hal_server_domain(hal_sensors_default, hal_sensors)
-type hal_sensors_default_exec, exec_type, file_type;
+type hal_sensors_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_sensors_default)
diff --git a/vendor/hal_thermal_default.te b/vendor/hal_thermal_default.te
index 9a777e0..73b2eff 100644
--- a/vendor/hal_thermal_default.te
+++ b/vendor/hal_thermal_default.te
@@ -1,5 +1,5 @@
type hal_thermal_default, domain;
hal_server_domain(hal_thermal_default, hal_thermal)
-type hal_thermal_default_exec, exec_type, file_type;
+type hal_thermal_default_exec, exec_type, vendor_file_type, vendor_file_type, file_type;
init_daemon_domain(hal_thermal_default)
diff --git a/vendor/hal_tv_input_default.te b/vendor/hal_tv_input_default.te
index a97c171..12d9743 100644
--- a/vendor/hal_tv_input_default.te
+++ b/vendor/hal_tv_input_default.te
@@ -1,6 +1,6 @@
type hal_tv_input_default, domain;
hal_server_domain(hal_tv_input_default, hal_tv_input)
-type hal_tv_input_default_exec, exec_type, file_type;
+type hal_tv_input_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_tv_input_default)
diff --git a/vendor/hal_usb_default.te b/vendor/hal_usb_default.te
index cc28a65..5642a2a 100644
--- a/vendor/hal_usb_default.te
+++ b/vendor/hal_usb_default.te
@@ -1,5 +1,5 @@
type hal_usb_default, domain;
hal_server_domain(hal_usb_default, hal_usb)
-type hal_usb_default_exec, exec_type, file_type;
+type hal_usb_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_usb_default)
diff --git a/vendor/hal_vibrator_default.te b/vendor/hal_vibrator_default.te
index 8bc8a72..6c10d8a 100644
--- a/vendor/hal_vibrator_default.te
+++ b/vendor/hal_vibrator_default.te
@@ -1,5 +1,5 @@
type hal_vibrator_default, domain;
hal_server_domain(hal_vibrator_default, hal_vibrator)
-type hal_vibrator_default_exec, exec_type, file_type;
+type hal_vibrator_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_vibrator_default)
diff --git a/vendor/hal_vr_default.te b/vendor/hal_vr_default.te
index 7475524..6a60192 100644
--- a/vendor/hal_vr_default.te
+++ b/vendor/hal_vr_default.te
@@ -1,5 +1,5 @@
type hal_vr_default, domain;
hal_server_domain(hal_vr_default, hal_vr)
-type hal_vr_default_exec, exec_type, file_type;
+type hal_vr_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_vr_default)
diff --git a/vendor/hal_wifi_default.te b/vendor/hal_wifi_default.te
index 7c3949e..75a9842 100644
--- a/vendor/hal_wifi_default.te
+++ b/vendor/hal_wifi_default.te
@@ -1,5 +1,5 @@
type hal_wifi_default, domain;
hal_server_domain(hal_wifi_default, hal_wifi)
-type hal_wifi_default_exec, exec_type, file_type;
+type hal_wifi_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_wifi_default)
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
index 82bccdb..c2bdc73 100644
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -1,7 +1,7 @@
# wpa supplicant or equivalent
type hal_wifi_supplicant_default, domain;
hal_server_domain(hal_wifi_supplicant_default, hal_wifi_supplicant)
-type hal_wifi_supplicant_default_exec, exec_type, file_type;
+type hal_wifi_supplicant_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_wifi_supplicant_default)
net_domain(hal_wifi_supplicant_default)
diff --git a/vendor/hostapd.te b/vendor/hostapd.te
index e7d8308..d20581e 100644
--- a/vendor/hostapd.te
+++ b/vendor/hostapd.te
@@ -1,6 +1,6 @@
# userspace wifi access points
type hostapd, domain;
-type hostapd_exec, exec_type, file_type;
+type hostapd_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hostapd)
diff --git a/vendor/rild.te b/vendor/rild.te
index 69c5c39..ea9109b 100644
--- a/vendor/rild.te
+++ b/vendor/rild.te
@@ -1,6 +1,6 @@
# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
-type rild_exec, exec_type, file_type;
+type rild_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(rild)
# TODO(b/36613472), TODO(b/36718031): Remove this once rild no longer
diff --git a/vendor/tee.te b/vendor/tee.te
index ad43b24..e5e8b2d 100644
--- a/vendor/tee.te
+++ b/vendor/tee.te
@@ -3,7 +3,7 @@
#
typeattribute tee domain_deprecated;
-type tee_exec, exec_type, file_type;
+type tee_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(tee)
allow tee self:capability { dac_override };
diff --git a/vendor/vndservicemanager.te b/vendor/vndservicemanager.te
index e898884..f956af8 100644
--- a/vendor/vndservicemanager.te
+++ b/vendor/vndservicemanager.te
@@ -1,5 +1,5 @@
# vndservicemanager - the Binder context manager for vendor processes
-type vndservicemanager_exec, exec_type, file_type;
+type vndservicemanager_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vndservicemanager);