diff --git a/app.te b/app.te index 1540f08b8..22a393e24 100644 --- a/app.te +++ b/app.te @@ -26,6 +26,9 @@ allow platform_app shell_data_file:lnk_file read; allow platform_app apk_tmp_file:file rw_file_perms; # Read /dev/xt_qtaguid allow platform_app qtaguid_device:chr_file r_file_perms; +# ASEC +allow platform_app asec_apk_file:dir create_dir_perms; +allow platform_app asec_apk_file:file create_file_perms; # Apps signed with the media key. type media_app, domain; @@ -53,6 +56,8 @@ net_domain(shared_app) bluetooth_domain(shared_app) # Read logs. allow shared_app log_device:chr_file read; +# ASEC +r_dir_file(shared_app, asec_apk_file); # Apps signed with the release key (testkey in AOSP). type release_app, domain; diff --git a/domain.te b/domain.te index 47ad05a3a..96f971c84 100644 --- a/domain.te +++ b/domain.te @@ -54,6 +54,7 @@ allow domain urandom_device:chr_file r_file_perms; # Filesystem accesses. allow domain fs_type:filesystem getattr; +allow domain fs_type:dir getattr; # System file accesses. allow domain system_file:dir r_dir_perms; diff --git a/file.te b/file.te index 451ad1dad..70100a955 100644 --- a/file.te +++ b/file.te @@ -32,7 +32,6 @@ type anr_data_file, file_type, data_file_type, mlstrustedobject; type tombstone_data_file, file_type, data_file_type; # /data/app - user-installed apps type apk_data_file, file_type, data_file_type; -type asec_data_file, file_type, data_file_type; type apk_tmp_file, file_type, data_file_type, mlstrustedobject; # /data/dalvik-cache type dalvikcache_data_file, file_type, data_file_type; @@ -59,6 +58,10 @@ type cache_file, file_type, mlstrustedobject; type efs_file, file_type; # Type for wallpaper file. type wallpaper_file, file_type, mlstrustedobject; +# /mnt/asec +type asec_apk_file, file_type, data_file_type; +# /data/app-asec +type asec_image_file, file_type, data_file_type; # All devices have bluetooth efs files. But they # vary per device, so this type is used in per diff --git a/file_contexts b/file_contexts index 8876bfe96..713da7991 100644 --- a/file_contexts +++ b/file_contexts @@ -152,4 +152,5 @@ /sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0 ############################# # asec containers -/mnt/asec(/.*)? u:object_r:asec_data_file:s0 +/mnt/asec(/.*)? u:object_r:asec_apk_file:s0 +/data/app-asec(/.*)? u:object_r:asec_image_file:s0 diff --git a/installd.te b/installd.te index 2a87eb7b1..553127c00 100644 --- a/installd.te +++ b/installd.te @@ -20,3 +20,7 @@ dontaudit installd self:capability sys_admin; selinux_check_context(installd) # Read /seapp_contexts, presently on the rootfs. allow installd rootfs:file r_file_perms; +# ASEC +allow installd platform_app_data_file:lnk_file { create setattr }; +allow installd app_data_file:lnk_file { create setattr }; +allow installd asec_apk_file:file r_file_perms; diff --git a/vold.te b/vold.te index 86dbbb7a7..60d6a3729 100644 --- a/vold.te +++ b/vold.te @@ -16,7 +16,7 @@ allow vold sdcard:dir create_dir_perms; allow vold tmpfs:filesystem { mount unmount }; allow vold tmpfs:dir create_dir_perms; allow vold tmpfs:dir mounton; -allow vold self:capability { net_admin dac_override mknod sys_admin }; +allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid }; allow vold self:netlink_kobject_uevent_socket *; allow vold app_data_file:dir search; allow vold app_data_file:file rw_file_perms; @@ -39,7 +39,7 @@ allow vold sysfs:file rw_file_perms; unix_socket_connect(vold, property, init) # Unmount and mount the fs. -allow vold labeledfs:filesystem { mount unmount }; +allow vold labeledfs:filesystem { mount unmount remount }; # Access /efs/userdata_footer. # XXX Split into a separate type? @@ -53,7 +53,14 @@ allow vold kernel:system module_request; allow vold proc:file write; # Create and mount on /data/tmp_mnt. -allow vold system_data_file:dir { open read write create add_name mounton }; +allow vold system_data_file:dir { rw_dir_perms mounton }; # Property Service allow vold vold_prop:property_service set; + +# ASEC +allow vold asec_image_file:file create_file_perms; +allow vold asec_image_file:dir rw_dir_perms; +allow vold rootfs:file r_file_perms; +allow vold asec_apk_file:dir { rw_dir_perms setattr }; +allow vold asec_apk_file:file { r_file_perms setattr };