Merge "Add SELinux policy for asec containers."

app.te

@@ -26,6 +26,9 @@ allow platform_app shell_data_file:lnk_file read;
 allow platform_app apk_tmp_file:file rw_file_perms;
 # Read /dev/xt_qtaguid
 allow platform_app qtaguid_device:chr_file r_file_perms;
+# ASEC
+allow platform_app asec_apk_file:dir create_dir_perms;
+allow platform_app asec_apk_file:file create_file_perms;
 
 # Apps signed with the media key.
 type media_app, domain;
@@ -53,6 +56,8 @@ net_domain(shared_app)
 bluetooth_domain(shared_app)
 # Read logs.
 allow shared_app log_device:chr_file read;
+# ASEC
+r_dir_file(shared_app, asec_apk_file);
 
 # Apps signed with the release key (testkey in AOSP).
 type release_app, domain;

domain.te

@@ -54,6 +54,7 @@ allow domain urandom_device:chr_file r_file_perms;
 
 # Filesystem accesses.
 allow domain fs_type:filesystem getattr;
+allow domain fs_type:dir getattr;
 
 # System file accesses.
 allow domain system_file:dir r_dir_perms;

file.te

@@ -32,7 +32,6 @@ type anr_data_file, file_type, data_file_type, mlstrustedobject;
 type tombstone_data_file, file_type, data_file_type;
 # /data/app - user-installed apps
 type apk_data_file, file_type, data_file_type;
-type asec_data_file, file_type, data_file_type;
 type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
 # /data/dalvik-cache
 type dalvikcache_data_file, file_type, data_file_type;
@@ -59,6 +58,10 @@ type cache_file, file_type, mlstrustedobject;
 type efs_file, file_type;
 # Type for wallpaper file.
 type wallpaper_file, file_type, mlstrustedobject;
+# /mnt/asec
+type asec_apk_file, file_type, data_file_type;
+# /data/app-asec
+type asec_image_file, file_type, data_file_type;
 
 # All devices have bluetooth efs files. But they
 # vary per device, so this type is used in per

file_contexts

@@ -152,4 +152,5 @@
 /sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
 #############################
 # asec containers
-/mnt/asec(/.*)?         u:object_r:asec_data_file:s0
+/mnt/asec(/.*)?         u:object_r:asec_apk_file:s0
+/data/app-asec(/.*)?    u:object_r:asec_image_file:s0

installd.te

@@ -20,3 +20,7 @@ dontaudit installd self:capability sys_admin;
 selinux_check_context(installd)
 # Read /seapp_contexts, presently on the rootfs.
 allow installd rootfs:file r_file_perms;
+# ASEC
+allow installd platform_app_data_file:lnk_file { create setattr };
+allow installd app_data_file:lnk_file { create setattr };
+allow installd asec_apk_file:file r_file_perms;

vold.te

@@ -16,7 +16,7 @@ allow vold sdcard:dir create_dir_perms;
 allow vold tmpfs:filesystem { mount unmount };
 allow vold tmpfs:dir create_dir_perms;
 allow vold tmpfs:dir mounton;
-allow vold self:capability { net_admin dac_override mknod sys_admin };
+allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
 allow vold self:netlink_kobject_uevent_socket *;
 allow vold app_data_file:dir search;
 allow vold app_data_file:file rw_file_perms;
@@ -39,7 +39,7 @@ allow vold sysfs:file rw_file_perms;
 unix_socket_connect(vold, property, init)
 
 # Unmount and mount the fs.
-allow vold labeledfs:filesystem { mount unmount };
+allow vold labeledfs:filesystem { mount unmount remount };
 
 # Access /efs/userdata_footer.
 # XXX Split into a separate type?
@@ -53,7 +53,14 @@ allow vold kernel:system module_request;
 allow vold proc:file write;
 
 # Create and mount on /data/tmp_mnt.
-allow vold system_data_file:dir { open read write create add_name mounton };
+allow vold system_data_file:dir { rw_dir_perms mounton };
 
 # Property Service
 allow vold vold_prop:property_service set;
+
+# ASEC
+allow vold asec_image_file:file create_file_perms;
+allow vold asec_image_file:dir rw_dir_perms;
+allow vold rootfs:file r_file_perms;
+allow vold asec_apk_file:dir { rw_dir_perms setattr };
+allow vold asec_apk_file:file { r_file_perms setattr };