Merge "label boot animations on oem with bootanim_oem_file" into main am: d1fada7e61
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2964524
Change-Id: I281fea83a7dc0144e7dc4383a61d7485688808f8
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 7c0c662..3c02a3d 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -653,6 +653,9 @@
/oem oemfs
/oem/does_not_exist oemfs
+/oem/media/bootanimation.zip bootanim_oem_file
+/oem/media/shutdownanimation.zip bootanim_oem_file
+/oem/media/userspace-reboot.zip bootanim_oem_file
/oem/overlay vendor_overlay_file
/oem/overlay/does_not_exist vendor_overlay_file
diff --git a/private/compat/34.0/34.0.cil b/private/compat/34.0/34.0.cil
index 595d53e..7d80433 100644
--- a/private/compat/34.0/34.0.cil
+++ b/private/compat/34.0/34.0.cil
@@ -2099,7 +2099,7 @@
(typeattributeset null_device_34_0 (null_device))
(typeattributeset oem_lock_service_34_0 (oem_lock_service))
(typeattributeset oem_unlock_prop_34_0 (oem_unlock_prop))
-(typeattributeset oemfs_34_0 (oemfs))
+(typeattributeset oemfs_34_0 (oemfs bootanim_oem_file))
(typeattributeset ondevicepersonalization_system_service_34_0 (ondevicepersonalization_system_service))
(typeattributeset ota_data_file_34_0 (ota_data_file))
(typeattributeset ota_metadata_file_34_0 (ota_metadata_file))
diff --git a/private/file_contexts b/private/file_contexts
index 7d9660b..3a65d81 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -457,6 +457,9 @@
/oem(/.*)? u:object_r:oemfs:s0
/oem/overlay(/.*)? u:object_r:vendor_overlay_file:s0
+/oem/media/bootanimation.zip u:object_r:bootanim_oem_file:s0
+/oem/media/shutdownanimation.zip u:object_r:bootanim_oem_file:s0
+/oem/media/userspace-reboot.zip u:object_r:bootanim_oem_file:s0
# The precompiled monolithic sepolicy will be under /odm only when
# BOARD_USES_ODMIMAGE is true: a separate odm.img is built.
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index 7ad8feb..064d0d9 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -73,3 +73,6 @@
# bpfprog access for FUSE BPF
allow mediaprovider_app fs_bpf:file read;
allow mediaprovider_app bpfloader:bpf { map_read map_write prog_run };
+
+# boot animations on oem are stored with specific label
+allow mediaprovider_app bootanim_oem_file:file r_file_perms;
diff --git a/public/bootanim.te b/public/bootanim.te
index a9616b7..239393c 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -17,7 +17,9 @@
allow bootanim sysfs_gpu:file r_file_perms;
# /oem access
-r_dir_file(bootanim, oemfs);
+allow bootanim oemfs:dir r_dir_perms;
+# boot animations on oem are stored with specific label
+allow bootanim bootanim_oem_file:file r_file_perms;
allow bootanim audio_device:dir r_dir_perms;
allow bootanim audio_device:chr_file rw_file_perms;
diff --git a/public/file.te b/public/file.te
index b887406..209fdb1 100644
--- a/public/file.te
+++ b/public/file.te
@@ -229,6 +229,8 @@
type linkerconfig_file, file_type;
# Control files under /data/incremental
type incremental_control_file, file_type, data_file_type, core_data_file_type;
+# /oem/media/bootanimation.zip|shutdownanimation.zip|userspace-reboot.zip
+type bootanim_oem_file, file_type, system_file_type;
# Default type for directories search for
# HAL implementations
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 367012c..9b86c86 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -98,6 +98,9 @@
allow mediaserver oemfs:dir search;
allow mediaserver oemfs:file r_file_perms;
+# /oem boot animation file
+allow mediaserver bootanim_oem_file:file r_file_perms;
+
# /vendor apk access
allow mediaserver vendor_app_file:file { read map getattr };