Gitiles
Code Review Sign In
LeafOS / LeafOS-Project / android_system_sepolicy / 5ed5072e06db153ea1be7717cc2663b95f07257d^! / .
commit5ed5072e06db153ea1be7717cc2663b95f07257d[log] [tgz]
authorDario Freni <dariofreni@google.com>Fri Mar 01 11:28:23 2019 +0000
committerDario Freni <dariofreni@google.com>Sun Mar 03 20:53:42 2019 +0000
tree7570d49fb81d5bf6b8562c2c9371818f76ec68e0
parentec270900486759dbd21fbdaff4ec4edcfe7b7087 [diff]
Use label staging_data_file for installed APEX.

This is needed in cases SELinux labels are restored under /data/apex by
an external process calling restorecon. In normal condition files under
/data/apex/active retain the label staging_data_file used at their
original creation by StagingManager. However, we observed that the label
might be changed to apex_data_file, which we were able to reproduce by
running restorecon.

Explicitly mark files under /data/apex/active and /data/apex/backup as
staging_data_file.

This CL also remove some stale rules being addressed since.

Test: ran restorecon on files in /data/apex/active, attempted installing
a new apex which triggered the violation when files are linked to
/data/apex/backup. With this CL, the operation succeeds.
Bug: 112669193
Change-Id: Ib4136e9b9f4993a5b7e02aade8f5c5e300a7793c

diff --git a/private/apexd.te b/private/apexd.te
index 80e115a..5b27101 100644
--- a/private/apexd.te
+++ b/private/apexd.te

@@ -45,11 +45,6 @@
 # because it doesn't have write permission for staging_data_file object.
 allow apexd staging_data_file:file unlink;
 
-# allow apexd to relabel apk_tmp_file to apex_data_file.
-# TODO(b/112669193) remove this when APEXes are staged via file descriptor
-allow apexd apk_tmp_file:file relabelfrom;
-allow apexd apex_data_file:file relabelto;
-
 # allow apexd to read files from /data/pkg_staging and hardlink them to /data/apex.
 allow apexd staging_data_file:dir r_dir_perms;
 allow apexd staging_data_file:file { r_file_perms link };

diff --git a/private/file_contexts b/private/file_contexts
index 83be009..39244c1 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -434,6 +434,8 @@
 /data/adb(/.*)?		u:object_r:adb_data_file:s0
 /data/anr(/.*)?		u:object_r:anr_data_file:s0
 /data/apex(/.*)?		u:object_r:apex_data_file:s0
+/data/apex/active/(.*)?		u:object_r:staging_data_file:s0
+/data/apex/backup/(.*)?		u:object_r:staging_data_file:s0
 /data/app(/.*)?                       u:object_r:apk_data_file:s0
 /data/app/[^/]+/oat(/.*)?                u:object_r:dalvikcache_data_file:s0
 /data/app/vmdl[^/]+\.tmp(/.*)?           u:object_r:apk_tmp_file:s0