From 53c76a25bbf9266178b61d157c7f4f9efb6b36d5 Mon Sep 17 00:00:00 2001
From: Alan Stokes <alanstokes@google.com>
Date: Tue, 8 Feb 2022 15:44:06 +0000
Subject: [PATCH] Support legacy apexdata labels

This partly reverts fa10a14fac28f9c407b4ff800972f9cef75fcf35. There we
removed individual labels for various apexdata labels, replacing them
with apex_system_server_data_file.

Unfortunately that doesn't handle upgrade scenarios well, e.g. when
updating system but keeping the old vendor sepolicy. The directories
keep their old labels, and vold_prepare_subdirs is unable to relabel
them as there is no policy to allow it to.

So we bring back the legacy labels, in private not public, and add the
rules needed to ensure system_server and vold_prepare_subdirs have the
access they need. All the other access needed is obtained via the
apex_data_file_type attribute.

Bug: 217581286
Test: Reset labels using chcon, reboot, directories are relabeled, no denials
Change-Id: If696882450f2634e382f217dab8f9f3882bff03f
---
 private/file.te                 |  7 +++++++
 private/system_server.te        | 13 +++++++++++++
 private/vold_prepare_subdirs.te |  9 +++++++++
 3 files changed, 29 insertions(+)

diff --git a/private/file.te b/private/file.te
index 5b6170f36..759fede42 100644
--- a/private/file.te
+++ b/private/file.te
@@ -54,6 +54,13 @@ type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type;
 # /data/misc/apexdata/com.android.compos
 type apex_compos_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
 
+# legacy labels for various /data/misc[_ce|_de]/*/apexdata directories - retained
+# for backward compatibility b/217581286
+type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+type apex_permission_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+type apex_wifi_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+
 # /data/font/files
 type font_data_file, file_type, data_file_type, core_data_file_type;
 
diff --git a/private/system_server.te b/private/system_server.te
index 1e799328e..1cf7ac47c 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1329,6 +1329,19 @@ allow system_server apex_module_data_file:dir { getattr search };
 # These are modules where the code runs in system_server, so we need full access.
 allow system_server apex_system_server_data_file:dir create_dir_perms;
 allow system_server apex_system_server_data_file:file create_file_perms;
+# Legacy labels that we still need to support (b/217581286)
+allow system_server {
+  apex_appsearch_data_file
+  apex_permission_data_file
+  apex_scheduling_data_file
+  apex_wifi_data_file
+}:dir create_dir_perms;
+allow system_server {
+  apex_appsearch_data_file
+  apex_permission_data_file
+  apex_scheduling_data_file
+  apex_wifi_data_file
+}:file create_file_perms;
 
 # Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
 # communicate which slots are available for use.
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index c6d482a0b..e4004e44a 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -48,6 +48,15 @@ allow vold_prepare_subdirs apex_mnt_dir:dir { open read };
 allow vold_prepare_subdirs mnt_expand_file:dir search;
 allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom };
 allow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto };
+
+# Migrate legacy labels to apex_system_server_data_file (b/217581286)
+allow vold_prepare_subdirs {
+  apex_appsearch_data_file
+  apex_permission_data_file
+  apex_scheduling_data_file
+  apex_wifi_data_file
+}:dir relabelfrom;
+
 # /data/misc is unlabeled during early boot.
 allow vold_prepare_subdirs unlabeled:dir search;