Add vendor_public_framework_file type to SEPolicy
And allow access from system apps to vendor libs public only for system.
These files should be marked individually by OEMs. Maintainance
ownership for these libraries is also OEM's responsability.
Similar with vendor_public_libs_file type, this allows for an explicit
labeling of OEM system apps that can access libs from vendor.
Bug: 172526961
Test: build-only change, policy builds
Change-Id: I7d4c8232e0b52e73f373d3347170c87ab2dcce52
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index 8340c76..fb0fa44 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1914,7 +1914,9 @@
(typeattributeset vendor_keychars_file_29_0 (vendor_keychars_file))
(typeattributeset vendor_keylayout_file_29_0 (vendor_keylayout_file))
(typeattributeset vendor_overlay_file_29_0 (vendor_overlay_file))
-(typeattributeset vendor_public_lib_file_29_0 (vendor_public_lib_file))
+(typeattributeset vendor_public_lib_file_29_0
+ ( vendor_public_framework_file
+ vendor_public_lib_file))
(typeattributeset vendor_security_patch_level_prop_29_0 (vendor_security_patch_level_prop))
(typeattributeset vendor_shell_29_0 (vendor_shell))
(typeattributeset vendor_shell_exec_29_0 (vendor_shell_exec))
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index a2ae272..3830fc0 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -2185,7 +2185,9 @@
(typeattributeset vendor_misc_writer_30_0 (vendor_misc_writer))
(typeattributeset vendor_misc_writer_exec_30_0 (vendor_misc_writer_exec))
(typeattributeset vendor_overlay_file_30_0 (vendor_overlay_file))
-(typeattributeset vendor_public_lib_file_30_0 (vendor_public_lib_file))
+(typeattributeset vendor_public_lib_file_30_0
+ ( vendor_public_framework_file
+ vendor_public_lib_file))
(typeattributeset vendor_security_patch_level_prop_30_0 (vendor_security_patch_level_prop))
(typeattributeset vendor_shell_30_0 (vendor_shell))
(typeattributeset vendor_shell_exec_30_0 (vendor_shell_exec))
diff --git a/private/domain.te b/private/domain.te
index 062a51e..982031a 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -467,6 +467,7 @@
-vendor_keychars_file
-vendor_keylayout_file
-vendor_overlay_file
+ -vendor_public_framework_file
-vendor_public_lib_file
-vendor_task_profiles_file
-vndk_sp_file
diff --git a/public/app.te b/public/app.te
index 5eb20d8..39d67af 100644
--- a/public/app.te
+++ b/public/app.te
@@ -120,8 +120,8 @@
r_dir_file(appdomain, vendor_framework_file)
# Allow apps read / execute access to vendor public libraries.
-allow appdomain vendor_public_lib_file:dir r_dir_perms;
-allow appdomain vendor_public_lib_file:file { execute read open getattr map };
+allow appdomain {vendor_public_framework_file vendor_public_lib_file}:dir r_dir_perms;
+allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map };
# Read/write wallpaper file (opened by system).
allow appdomain wallpaper_file:file { getattr read write map };
diff --git a/public/domain.te b/public/domain.te
index 3f33b5b..844db8a 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -986,6 +986,7 @@
-same_process_hal_file
-vndk_sp_file
-vendor_app_file
+ -vendor_public_framework_file
-vendor_public_lib_file
}:file execute;
')
@@ -1346,7 +1347,7 @@
neverallow {
coredomain
-appdomain
- } vendor_public_lib_file:file { execute execute_no_trans };
+ } {vendor_public_framework_file vendor_public_lib_file}:file { execute execute_no_trans };
')
# Vendor domian must not have access to /mnt/product.
diff --git a/public/file.te b/public/file.te
index c1c69b9..ecc9841 100644
--- a/public/file.te
+++ b/public/file.te
@@ -223,6 +223,9 @@
# Type for all vendor public libraries. These libs should only be exposed to
# apps. ABI stability of these libs is vendor's responsibility.
type vendor_public_lib_file, vendor_file_type, file_type;
+# Type for all vendor public libraries for system. These libs should only be exposed to
+# system. ABI stability of these libs is vendor's responsibility.
+type vendor_public_framework_file, vendor_file_type, file_type;
# Input configuration
type vendor_keylayout_file, vendor_file_type, file_type;