am f85c1fc2: Allow installd, vold, system_server unlabeled access.

* commit 'f85c1fc2': Allow installd, vold, system_server unlabeled access.

am f85c1fc2: Allow installd, vold, system_server unlabeled access.
e3a92d50 · Stephen Smalley · Android Git Automerger · c0254385 · f85c1fc2 · e3a92d50
Commit e3a92d50 authored 10 years ago by Stephen Smalley Committed by Android Git Automerger 10 years ago
--- a/installd.te
+++ b/installd.te
@@ -49,9 +49,11 @@ allow installd dalvikcache_profiles_data_file:dir rw_dir_perms;
 allow installd dalvikcache_profiles_data_file:file create_file_perms;

 # Upgrade from unlabeled userdata.
-# Just need enough to relabel it.
-allow installd unlabeled:dir { getattr search relabelfrom };
-allow installd unlabeled:notdevfile_class_set { getattr relabelfrom };
+# Just need enough to remove and/or relabel it.
+allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
+allow installd unlabeled:notdevfile_class_set { getattr relabelfrom rename unlink setattr };
+# Read pkg.apk file for input during dexopt.
+allow installd unlabeled:file r_file_perms;

 # Upgrade from before system_app_data_file was used for system UID apps.
 # Just need enough to relabel it and to unlink removed package files.

--- a/system_server.te
+++ b/system_server.te
@@ -227,6 +227,11 @@ allow system_server zoneinfo_data_file:file create_file_perms;
 # Walk /data/data subdirectories.
 # Types extracted from seapp_contexts type= fields.
 allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
+# Also permit for unlabeled /data/data subdirectories and
+# for unlabeled asec containers on upgrades from 4.2.
+allow system_server unlabeled:dir r_dir_perms;
+# Read pkg.apk file before it has been relabeled by vold.
+allow system_server unlabeled:file r_file_perms;

 # Populate com.android.providers.settings/databases/settings.db.
 allow system_server system_app_data_file:dir create_dir_perms;

--- a/vold.te
+++ b/vold.te
@@ -71,10 +71,13 @@ allow vold ctl_fuse_prop:property_service set;
 allow vold asec_image_file:file create_file_perms;
 allow vold asec_image_file:dir rw_dir_perms;
 security_access_policy(vold)
-allow vold asec_apk_file:dir { rw_dir_perms setattr relabelfrom };
+allow vold asec_apk_file:dir { rw_dir_perms setattr relabelfrom relabelto };
 allow vold asec_public_file:dir { relabelto setattr };
-allow vold asec_apk_file:file { r_file_perms setattr relabelfrom };
+allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
 allow vold asec_public_file:file { relabelto setattr };
+# restorecon files in asec containers created on 4.2 or earlier.
+allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
+allow vold unlabeled:file { r_file_perms setattr relabelfrom };

 # Handle wake locks (used for device encryption)
 wakelock_use(vold)