53c76a25bb
This partly reverts fa10a14fac. There we
removed individual labels for various apexdata labels, replacing them
with apex_system_server_data_file.
Unfortunately that doesn't handle upgrade scenarios well, e.g. when
updating system but keeping the old vendor sepolicy. The directories
keep their old labels, and vold_prepare_subdirs is unable to relabel
them as there is no policy to allow it to.
So we bring back the legacy labels, in private not public, and add the
rules needed to ensure system_server and vold_prepare_subdirs have the
access they need. All the other access needed is obtained via the
apex_data_file_type attribute.
Bug: 217581286
Test: Reset labels using chcon, reboot, directories are relabeled, no denials
Change-Id: If696882450f2634e382f217dab8f9f3882bff03f
63 lines
2.2 KiB
Text
63 lines
2.2 KiB
Text
domain_auto_trans(vold, vold_prepare_subdirs_exec, vold_prepare_subdirs)
|
|
|
|
typeattribute vold_prepare_subdirs mlstrustedsubject;
|
|
|
|
allow vold_prepare_subdirs system_file:file execute_no_trans;
|
|
allow vold_prepare_subdirs shell_exec:file rx_file_perms;
|
|
allow vold_prepare_subdirs toolbox_exec:file rx_file_perms;
|
|
allow vold_prepare_subdirs devpts:chr_file rw_file_perms;
|
|
allow vold_prepare_subdirs vold:fd use;
|
|
allow vold_prepare_subdirs vold:fifo_file { read write };
|
|
allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
|
|
allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
|
|
allow vold_prepare_subdirs self:process setfscreate;
|
|
allow vold_prepare_subdirs {
|
|
system_data_file
|
|
vendor_data_file
|
|
}:dir { open read write add_name remove_name rmdir relabelfrom };
|
|
allow vold_prepare_subdirs {
|
|
apex_data_file_type
|
|
apex_module_data_file
|
|
apex_rollback_data_file
|
|
backup_data_file
|
|
checkin_data_file
|
|
face_vendor_data_file
|
|
fingerprint_vendor_data_file
|
|
iris_vendor_data_file
|
|
rollback_data_file
|
|
storaged_data_file
|
|
system_data_file
|
|
vold_data_file
|
|
}:dir { create_dir_perms relabelto };
|
|
allow vold_prepare_subdirs {
|
|
apex_data_file_type
|
|
apex_art_staging_data_file
|
|
apex_module_data_file
|
|
apex_rollback_data_file
|
|
backup_data_file
|
|
checkin_data_file
|
|
face_vendor_data_file
|
|
fingerprint_vendor_data_file
|
|
iris_vendor_data_file
|
|
rollback_data_file
|
|
storaged_data_file
|
|
system_data_file
|
|
vold_data_file
|
|
}:file { getattr unlink };
|
|
allow vold_prepare_subdirs apex_mnt_dir:dir { open read };
|
|
allow vold_prepare_subdirs mnt_expand_file:dir search;
|
|
allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom };
|
|
allow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto };
|
|
|
|
# Migrate legacy labels to apex_system_server_data_file (b/217581286)
|
|
allow vold_prepare_subdirs {
|
|
apex_appsearch_data_file
|
|
apex_permission_data_file
|
|
apex_scheduling_data_file
|
|
apex_wifi_data_file
|
|
}:dir relabelfrom;
|
|
|
|
# /data/misc is unlabeled during early boot.
|
|
allow vold_prepare_subdirs unlabeled:dir search;
|
|
|
|
dontaudit vold_prepare_subdirs { proc unlabeled }:file r_file_perms;
|