diff --git a/private/file.te b/private/file.te index 5b6170f36..759fede42 100644 --- a/private/file.te +++ b/private/file.te @@ -54,6 +54,13 @@ type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type; # /data/misc/apexdata/com.android.compos type apex_compos_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type; +# legacy labels for various /data/misc[_ce|_de]/*/apexdata directories - retained +# for backward compatibility b/217581286 +type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type; +type apex_permission_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type; +type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type; +type apex_wifi_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type; + # /data/font/files type font_data_file, file_type, data_file_type, core_data_file_type; diff --git a/private/system_server.te b/private/system_server.te index 9de6cae60..6dd483d3a 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -1331,6 +1331,19 @@ allow system_server apex_module_data_file:dir { getattr search }; # These are modules where the code runs in system_server, so we need full access. allow system_server apex_system_server_data_file:dir create_dir_perms; allow system_server apex_system_server_data_file:file create_file_perms; +# Legacy labels that we still need to support (b/217581286) +allow system_server { + apex_appsearch_data_file + apex_permission_data_file + apex_scheduling_data_file + apex_wifi_data_file +}:dir create_dir_perms; +allow system_server { + apex_appsearch_data_file + apex_permission_data_file + apex_scheduling_data_file + apex_wifi_data_file +}:file create_file_perms; # Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can # communicate which slots are available for use. diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te index c6d482a0b..e4004e44a 100644 --- a/private/vold_prepare_subdirs.te +++ b/private/vold_prepare_subdirs.te @@ -48,6 +48,15 @@ allow vold_prepare_subdirs apex_mnt_dir:dir { open read }; allow vold_prepare_subdirs mnt_expand_file:dir search; allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom }; allow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto }; + +# Migrate legacy labels to apex_system_server_data_file (b/217581286) +allow vold_prepare_subdirs { + apex_appsearch_data_file + apex_permission_data_file + apex_scheduling_data_file + apex_wifi_data_file +}:dir relabelfrom; + # /data/misc is unlabeled during early boot. allow vold_prepare_subdirs unlabeled:dir search;