From d6fb7ac1e2fc73804efa6138ead5be2a6dc4e4b2 Mon Sep 17 00:00:00 2001
From: Robert Craig <rpcraig@tycho.ncsc.mil>
Date: Tue, 4 Feb 2014 11:36:41 -0500
Subject: [PATCH] Introduce asec_public_file type.

This new type will allow us to write finer-grained
policy concerning asec containers. Some files of
these containers need to be world readable.

Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

(cherry picked from commit 48b18832c476f0bd8fcb8ee3e308258392f36aaf)

Change-Id: Ic75095397a11ad715c16a75a7374e9b0d131f3f7
---
 domain.te        | 4 ++++
 drmserver.te     | 2 +-
 file.te          | 2 ++
 file_contexts    | 6 ++++--
 mediaserver.te   | 2 +-
 shared_app.te    | 2 --
 system_app.te    | 4 ----
 untrusted_app.te | 2 ++
 vold.te          | 7 +++++--
 9 files changed, 19 insertions(+), 12 deletions(-)

diff --git a/domain.te b/domain.te
index b13ad75f8..705482410 100644
--- a/domain.te
+++ b/domain.te
@@ -129,6 +129,10 @@ selinux_getenforce(domain)
 allow domain security_file:dir { search getattr };
 allow domain security_file:file getattr;
 
+# World readable asec image contents
+allow domain asec_public_file:file r_file_perms;
+allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
+
 ######## Backwards compatibility - Unlabeled files ############
 
 # Revert to DAC rules when looking at unlabeled files. Over time, the number
diff --git a/drmserver.te b/drmserver.te
index ba6b5c562..9fa018a97 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -21,7 +21,7 @@ allow drmserver self:{ tcp_socket udp_socket } *;
 allow drmserver port:tcp_socket name_connect;
 allow drmserver tee_device:chr_file rw_file_perms;
 allow drmserver platform_app_data_file:file { read write getattr };
-allow drmserver { app_data_file asec_apk_file }:file { read write getattr };
+allow drmserver app_data_file:file { read write getattr };
 allow drmserver sdcard_type:file { read write getattr };
 allow drmserver efs_file:file { open read getattr };
 
diff --git a/file.te b/file.te
index 6431c2cbc..19f93d471 100644
--- a/file.te
+++ b/file.te
@@ -86,6 +86,8 @@ type efs_file, file_type;
 type wallpaper_file, file_type, mlstrustedobject;
 # /mnt/asec
 type asec_apk_file, file_type, data_file_type;
+# Elements of asec files (/mnt/asec) that are world readable
+type asec_public_file, file_type, data_file_type;
 # /data/app-asec
 type asec_image_file, file_type, data_file_type;
 # /data/backup and /data/secure/backup
diff --git a/file_contexts b/file_contexts
index a6b193b8e..358c0bc80 100644
--- a/file_contexts
+++ b/file_contexts
@@ -216,5 +216,7 @@
 /sys/kernel/uevent_helper --	u:object_r:usermodehelper:s0
 #############################
 # asec containers
-/mnt/asec(/.*)?         u:object_r:asec_apk_file:s0
-/data/app-asec(/.*)?    u:object_r:asec_image_file:s0
+/mnt/asec(/.*)?           u:object_r:asec_apk_file:s0
+/mnt/asec/[^/]+/res.zip   u:object_r:asec_public_file:s0
+/mnt/asec/[^/]+/lib(/.*)? u:object_r:asec_public_file:s0
+/data/app-asec(/.*)?      u:object_r:asec_image_file:s0
diff --git a/mediaserver.te b/mediaserver.te
index ab978fa90..f71554ca9 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -39,7 +39,7 @@ allow mediaserver audio_device:chr_file rw_file_perms;
 allow mediaserver sysfs:file rw_file_perms;
 
 # XXX Why?
-allow mediaserver { apk_data_file asec_apk_file }:file { read getattr };
+allow mediaserver apk_data_file:file { read getattr };
 
 # Access camera device.
 allow mediaserver camera_device:chr_file rw_file_perms;
diff --git a/shared_app.te b/shared_app.te
index 4ab90fe26..22238824e 100644
--- a/shared_app.te
+++ b/shared_app.te
@@ -10,5 +10,3 @@ platform_app_domain(shared_app)
 net_domain(shared_app)
 # Access bluetooth.
 bluetooth_domain(shared_app)
-# ASEC
-r_dir_file(shared_app, asec_apk_file)
diff --git a/system_app.te b/system_app.te
index a80cc4548..4f5492cff 100644
--- a/system_app.te
+++ b/system_app.te
@@ -31,10 +31,6 @@ selinux_getenforce(system_app)
 # Settings app reads sdcard for storage stats
 allow system_app sdcard_type:dir r_dir_perms;
 
-# Allow settings app to read from asec
-allow system_app asec_apk_file:dir search;
-allow system_app asec_apk_file:file r_file_perms;
-
 # Write to properties
 unix_socket_connect(system_app, property, init)
 allow system_app debug_prop:property_service set;
diff --git a/untrusted_app.te b/untrusted_app.te
index 190424999..96c700974 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -32,6 +32,8 @@ allow untrusted_app sdcard_external:file create_file_perms;
 # ASEC
 allow untrusted_app asec_apk_file:dir { getattr };
 allow untrusted_app asec_apk_file:file r_file_perms;
+# Execute libs in asec containers.
+allow untrusted_app asec_public_file:file execute;
 
 # Create tcp/udp sockets
 allow untrusted_app node_type:{ tcp_socket udp_socket } node_bind;
diff --git a/vold.te b/vold.te
index 22198fdc9..18c909de6 100644
--- a/vold.te
+++ b/vold.te
@@ -71,8 +71,11 @@ allow vold ctl_default_prop:property_service set;
 allow vold asec_image_file:file create_file_perms;
 allow vold asec_image_file:dir rw_dir_perms;
 security_access_policy(vold)
-allow vold asec_apk_file:dir { rw_dir_perms setattr };
-allow vold asec_apk_file:file { r_file_perms setattr };
+relabelto_domain(vold)
+allow vold asec_apk_file:dir { rw_dir_perms setattr relabelfrom };
+allow vold asec_public_file:dir { relabelto setattr };
+allow vold asec_apk_file:file { r_file_perms setattr relabelfrom };
+allow vold asec_public_file:file { relabelto setattr };
 
 # Handle wake locks (used for device encryption)
 allow vold sysfs_wake_lock:file rw_file_perms;
-- 
GitLab