From fad4d5fb00ddb1f61c22c003429e10f10b046d0d Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Mon, 16 Jun 2014 14:19:31 -0700 Subject: [PATCH] Fix SELinux policies to allow resource overlays. The following commits added support for runtime resource overlays. New command line tool 'idmap' * 65a05fd56dbc9fd9c2511a97f49c445a748fb3c5 Runtime resource overlay, iteration 2 * 48d22323ce39f9aab003dce74456889b6414af55 Runtime resource overlay, iteration 2, test cases * ad6ed950dbfa152c193dd7e49c369d9e831f1591 During SELinux tightening, support for these runtime resource overlays was unknowingly broken. Fix it. This change has been tested by hackbod and she reports that everything is working after this change. I haven't independently verified the functionality. Test cases are available for this by running: * python frameworks/base/core/tests/overlaytests/testrunner.py Change-Id: I1c70484011fd9041bec4ef34f93f7a5509906f40 --- app.te | 4 ++++ file.te | 2 ++ file_contexts | 1 + installd.te | 4 ++++ system_server.te | 4 ++++ zygote.te | 3 +++ 6 files changed, 18 insertions(+) diff --git a/app.te b/app.te index 73febbcde..df8ff81b4 100644 --- a/app.te +++ b/app.te @@ -141,6 +141,10 @@ allow appdomain shared_relro_file:file r_file_perms; # Allow apps to read/execute installed binaries allow appdomain apk_data_file:file { rx_file_perms execmod }; +# /data/resource-cache +allow appdomain resourcecache_data_file:file r_file_perms; +allow appdomain resourcecache_data_file:dir r_dir_perms; + ### ### CTS-specific rules ### diff --git a/file.te b/file.te index 1ea4a721f..18bafa41c 100644 --- a/file.te +++ b/file.te @@ -61,6 +61,8 @@ type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject; type dalvikcache_data_file, file_type, data_file_type; # /data/dalvik-cache/profiles type dalvikcache_profiles_data_file, file_type, data_file_type; +# /data/resource-cache +type resourcecache_data_file, file_type, data_file_type; # /data/local - writable by shell type shell_data_file, file_type, data_file_type; # /data/gps diff --git a/file_contexts b/file_contexts index 8ea7f6db1..82b8c1c1b 100644 --- a/file_contexts +++ b/file_contexts @@ -173,6 +173,7 @@ /data/system/ndebugsocket u:object_r:system_ndebug_socket:s0 /data/drm(/.*)? u:object_r:drm_data_file:s0 /data/gps(/.*)? u:object_r:gps_data_file:s0 +/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0 /data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0 /data/dalvik-cache/profiles(/.*)? u:object_r:dalvikcache_profiles_data_file:s0 /data/anr(/.*)? u:object_r:anr_data_file:s0 diff --git a/installd.te b/installd.te index eed034375..5faa1ec82 100644 --- a/installd.te +++ b/installd.te @@ -49,6 +49,10 @@ allow installd dalvikcache_data_file:file create_file_perms; allow installd dalvikcache_profiles_data_file:dir rw_dir_perms; allow installd dalvikcache_profiles_data_file:file create_file_perms; +# Create files under /data/resource-cache. +allow installd resourcecache_data_file:dir rw_dir_perms; +allow installd resourcecache_data_file:file create_file_perms; + # Upgrade from unlabeled userdata. # Just need enough to remove and/or relabel it. allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir }; diff --git a/system_server.te b/system_server.te index ffed556e2..5f2d69183 100644 --- a/system_server.te +++ b/system_server.te @@ -15,6 +15,10 @@ allow system_server system_server_tmpfs:file execute; # For art. allow system_server dalvikcache_data_file:file execute; +# /data/resource-cache +allow system_server resourcecache_data_file:file r_file_perms; +allow system_server resourcecache_data_file:dir r_dir_perms; + # ptrace to processes in the same domain for debugging crashes. allow system_server self:process ptrace; diff --git a/zygote.te b/zygote.te index da3a03723..c2a325eec 100644 --- a/zygote.te +++ b/zygote.te @@ -24,6 +24,9 @@ allow zygote system_data_file:file r_file_perms; # Write to /data/dalvik-cache. allow zygote dalvikcache_data_file:dir create_dir_perms; allow zygote dalvikcache_data_file:file create_file_perms; +# Write to /data/resource-cache +allow zygote resourcecache_data_file:dir rw_dir_perms; +allow zygote resourcecache_data_file:file create_file_perms; # For art. allow zygote dalvikcache_data_file:file execute; # Execute dexopt.