Label /data/.layout_version with its own type.

installd creates /data/.layout_version. Introduce a separate type for this file (and any other file created by installd under a directory labeled system_data_file) so that we can allow create/write access by installd without allowing it to any system data files created by other processes. This prevents installd from overwriting other system data files, and ensure that any files it creates will require explicit rules in order to access. Change-Id: Id04e49cd571390d18792949c8b2b13b1ac59c016 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Label /data/.layout_version with its own type.
baf49bd5 · Stephen Smalley · 41e14c7f · baf49bd5 · baf49bd5 · baf49bd5
Commit baf49bd5 authored 10 years ago by Stephen Smalley
--- a/file.te
+++ b/file.te
@@ -41,6 +41,9 @@ type unlabeled, file_type;
 type system_file, file_type;
 # Default type for anything under /data.
 type system_data_file, file_type, data_file_type;
+# /data/.layout_version or other installd-created files that
+# are created in a system_data_file directory.
+type install_data_file, file_type, data_file_type;
 # /data/drm - DRM plugin data
 type drm_data_file, file_type, data_file_type;
 # /data/anr - ANR traces

--- a/file_contexts
+++ b/file_contexts
@@ -164,6 +164,7 @@
 # Data files
 #
 /data(/.*)?		u:object_r:system_data_file:s0
+/data/.layout_version		u:object_r:install_data_file:s0
 /data/backup(/.*)?		u:object_r:backup_data_file:s0
 /data/secure/backup(/.*)?	u:object_r:backup_data_file:s0
 /data/security(/.*)?	u:object_r:security_file:s0

--- a/installd.te
+++ b/installd.te
@@ -31,7 +31,8 @@ allow installd system_data_file:dir relabelfrom;
 allow installd media_rw_data_file:dir relabelto;
 # Create /data/.layout_version.* file
-allow installd system_data_file:file create_file_perms;
+type_transition installd system_data_file:file install_data_file;
+allow installd install_data_file:file create_file_perms;
 # Create files under /data/dalvik-cache.
 allow installd dalvikcache_data_file:dir create_dir_perms;
@@ -49,9 +50,9 @@ allow installd unlabeled:dir { getattr search relabelfrom };
 allow installd unlabeled:notdevfile_class_set { getattr relabelfrom };
 # Upgrade from before system_app_data_file was used for system UID apps.
-# Just need enough to relabel it.
+# Just need enough to relabel it and to unlink removed package files.
 # Directory access covered by earlier rule above.
-allow installd system_data_file:notdevfile_class_set { getattr relabelfrom };
+allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlink };
 # Manage /data/data subdirectories, including initially labeling them
 # upon creation via setfilecon or running restorecon_recursive,