diff options
| author | 2014-03-27 10:00:58 -0400 | |
|---|---|---|
| committer | 2014-03-28 12:24:29 -0400 | |
| commit | 172d38bcda8d05793db13eb763a280ac2ee36fab (patch) | |
| tree | 093367ca561ab9095da3270d99c793b3e3defbf6 | |
| parent | 55a655091a30667ba7c091dc22d350c0bb8d8641 (diff) | |
Change when the SELinux relabel of /data/data occurs.
Perform the relabel of the /data/data/<pkg> directories
when the app is being scanned by the PMS. The impetus
for this change was that the data directories of forward
locked apps were receiving the wrong label during an
OTA. Because the PMS doesn't actually scan forward locked
apps til later in the boot process, the prior restorecon
call was actually applying the default label of
system_data_file for all such apps. By performing a
restorecon on each individual app as they are entered into
the PMS we can handle them correctly. This mechanism also
allows us to pass down the seinfo tag as part of the
restorecon call which drops our need to rely on the contents
of packages.list.
Change-Id: Ie440cba2c96f0907458086348197e1506d31c1b6
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
| -rw-r--r-- | services/java/com/android/server/pm/Installer.java | 11 | ||||
| -rwxr-xr-x | services/java/com/android/server/pm/PackageManagerService.java | 19 |
2 files changed, 21 insertions, 9 deletions
diff --git a/services/java/com/android/server/pm/Installer.java b/services/java/com/android/server/pm/Installer.java index 4b087ccdd8b3..8cd9d935db18 100644 --- a/services/java/com/android/server/pm/Installer.java +++ b/services/java/com/android/server/pm/Installer.java @@ -397,7 +397,14 @@ public final class Installer { return execute(builder.toString()); } - public boolean restoreconData() { - return (execute("restorecondata") == 0); + public boolean restoreconData(String pkgName, String seinfo, int uid) { + StringBuilder builder = new StringBuilder("restorecondata"); + builder.append(' '); + builder.append(pkgName); + builder.append(' '); + builder.append(seinfo != null ? seinfo : "!"); + builder.append(' '); + builder.append(uid); + return (execute(builder.toString()) == 0); } } diff --git a/services/java/com/android/server/pm/PackageManagerService.java b/services/java/com/android/server/pm/PackageManagerService.java index 5dded5773067..f33f739411f3 100755 --- a/services/java/com/android/server/pm/PackageManagerService.java +++ b/services/java/com/android/server/pm/PackageManagerService.java @@ -393,6 +393,9 @@ public class PackageManagerService extends IPackageManager.Stub { // If mac_permissions.xml was found for seinfo labeling. boolean mFoundPolicyFile; + // If a recursive restorecon of /data/data/<pkg> is needed. + private boolean mShouldRestoreconData = SELinuxMMAC.shouldRestorecon(); + // All available activities, for your resolving pleasure. final ActivityIntentResolver mActivities = new ActivityIntentResolver(); @@ -1486,13 +1489,6 @@ public class PackageManagerService extends IPackageManager.Stub { // can downgrade to reader mSettings.writeLPr(); - if (SELinuxMMAC.shouldRestorecon()) { - Slog.i(TAG, "Relabeling of /data/data and /data/user issued."); - if (mInstaller.restoreconData()) { - SELinuxMMAC.setRestoreconDone(); - } - } - EventLog.writeEvent(EventLogTags.BOOT_PROGRESS_PMS_READY, SystemClock.uptimeMillis()); @@ -4617,6 +4613,11 @@ public class PackageManagerService extends IPackageManager.Stub { } } pkg.applicationInfo.dataDir = dataPath.getPath(); + if (mShouldRestoreconData) { + Slog.i(TAG, "SELinux relabeling of " + pkg.packageName + " issued."); + mInstaller.restoreconData(pkg.packageName, pkg.applicationInfo.seinfo, + pkg.applicationInfo.uid); + } } else { if (DEBUG_PACKAGE_SCANNING) { if ((parseFlags & PackageParser.PARSE_CHATTY) != 0) @@ -11062,6 +11063,10 @@ public class PackageManagerService extends IPackageManager.Stub { */ public void scanAvailableAsecs() { updateExternalMediaStatusInner(true, false, false); + if (mShouldRestoreconData) { + SELinuxMMAC.setRestoreconDone(); + mShouldRestoreconData = false; + } } /* |