From f85c1fc293523db241c48d815b165067b8a0f471 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 27 May 2014 10:56:24 -0400
Subject: [PATCH] Allow installd, vold, system_server unlabeled access.

The bugs that motivated bringing back the unlabeled allowall rules,
https://android-review.googlesource.com/#/c/94971/
should be resolved by the following changes:
https://android-review.googlesource.com/#/c/94966/
https://android-review.googlesource.com/#/c/96080/

Beyond those changes, installd needs to be able to remove package directories
for apps that no longer exist or have moved (e.g. to priv-app) on upgrades, so
allow it the permissions required for this purpose.  vold needs to be able
to chown/chmod/restorecon files in asec containers so allow it the
permissions to do so.  system_server tries to access all /data/data
subdirectories so permit it to do so.  installd and system_server
read the pkg.apk file before it has been relabeled by vold and therefore
need to read unlabeled files.

Change-Id: I70da7d605c0d037eaa5f3f5fda24f5e7715451dc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 installd.te      | 8 +++++---
 system_server.te | 5 +++++
 vold.te          | 7 +++++--
 3 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/installd.te b/installd.te
index 3ce2c5d08..f84075a4c 100644
--- a/installd.te
+++ b/installd.te
@@ -49,9 +49,11 @@ allow installd dalvikcache_profiles_data_file:dir rw_dir_perms;
 allow installd dalvikcache_profiles_data_file:file create_file_perms;
 
 # Upgrade from unlabeled userdata.
-# Just need enough to relabel it.
-allow installd unlabeled:dir { getattr search relabelfrom };
-allow installd unlabeled:notdevfile_class_set { getattr relabelfrom };
+# Just need enough to remove and/or relabel it.
+allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
+allow installd unlabeled:notdevfile_class_set { getattr relabelfrom rename unlink setattr };
+# Read pkg.apk file for input during dexopt.
+allow installd unlabeled:file r_file_perms;
 
 # Upgrade from before system_app_data_file was used for system UID apps.
 # Just need enough to relabel it and to unlink removed package files.
diff --git a/system_server.te b/system_server.te
index 4b8e38490..50c9d98b7 100644
--- a/system_server.te
+++ b/system_server.te
@@ -227,6 +227,11 @@ allow system_server zoneinfo_data_file:file create_file_perms;
 # Walk /data/data subdirectories.
 # Types extracted from seapp_contexts type= fields.
 allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
+# Also permit for unlabeled /data/data subdirectories and
+# for unlabeled asec containers on upgrades from 4.2.
+allow system_server unlabeled:dir r_dir_perms;
+# Read pkg.apk file before it has been relabeled by vold.
+allow system_server unlabeled:file r_file_perms;
 
 # Populate com.android.providers.settings/databases/settings.db.
 allow system_server system_app_data_file:dir create_dir_perms;
diff --git a/vold.te b/vold.te
index 30cd9d2b5..0247bfea9 100644
--- a/vold.te
+++ b/vold.te
@@ -71,10 +71,13 @@ allow vold ctl_fuse_prop:property_service set;
 allow vold asec_image_file:file create_file_perms;
 allow vold asec_image_file:dir rw_dir_perms;
 security_access_policy(vold)
-allow vold asec_apk_file:dir { rw_dir_perms setattr relabelfrom };
+allow vold asec_apk_file:dir { rw_dir_perms setattr relabelfrom relabelto };
 allow vold asec_public_file:dir { relabelto setattr };
-allow vold asec_apk_file:file { r_file_perms setattr relabelfrom };
+allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
 allow vold asec_public_file:file { relabelto setattr };
+# restorecon files in asec containers created on 4.2 or earlier.
+allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
+allow vold unlabeled:file { r_file_perms setattr relabelfrom };
 
 # Handle wake locks (used for device encryption)
 wakelock_use(vold)
-- 
GitLab