From 62487c92ba01fd74b9314b385ecd4f87c100238e Mon Sep 17 00:00:00 2001 From: Tianjie Date: Fri, 15 Oct 2021 20:32:42 -0700 Subject: [PATCH] Correct the permission of checkin dir Gmscore runs in cache group, so set the own:group of the checkin directory to system:cache to align with other use cases. Because we want proper user separation when accessing the dir, also provide user id to set the correct selinux mls_level. Bug: 197636740 Test: check selinux label, make sure checkin can access the directory. Change-Id: Id47a2a30a2f37c204ef72a81ac2aebe4ee3a37b0 --- vold_prepare_subdirs.cpp | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/vold_prepare_subdirs.cpp b/vold_prepare_subdirs.cpp index ad4fa99..862191c 100644 --- a/vold_prepare_subdirs.cpp +++ b/vold_prepare_subdirs.cpp @@ -208,11 +208,15 @@ static bool prepare_subdirs(const std::string& volume_uuid, int user_id, int fla if (!prepare_dir(sehandle, 0700, 0, 0, misc_ce_path + "/vold")) return false; if (!prepare_dir(sehandle, 0700, 0, 0, misc_ce_path + "/storaged")) return false; if (!prepare_dir(sehandle, 0700, 0, 0, misc_ce_path + "/rollback")) return false; - if (!prepare_dir(sehandle, 0700, 0, 0, misc_ce_path + "/checkin")) return false; - // TODO: Return false if this returns false once sure this should succeed. prepare_dir(sehandle, 0700, 0, 0, misc_ce_path + "/apexrollback"); prepare_apex_subdirs(sehandle, misc_ce_path); + // Give gmscore (who runs in cache group) access to the checkin directory. Also provide + // the user id to set the correct selinux mls_level. + if (!prepare_dir_for_user(sehandle, 0770, AID_SYSTEM, AID_CACHE, + misc_ce_path + "/checkin", user_id)) { + return false; + } auto system_ce_path = android::vold::BuildDataSystemCePath(user_id); if (!prepare_dir(sehandle, 0700, AID_SYSTEM, AID_SYSTEM, system_ce_path + "/backup")) {