diff options
| -rw-r--r-- | installd.te | 8 | ||||
| -rw-r--r-- | system_server.te | 5 | ||||
| -rw-r--r-- | vold.te | 7 |
3 files changed, 15 insertions, 5 deletions
diff --git a/installd.te b/installd.te index 3ce2c5d..f84075a 100644 --- a/installd.te +++ b/installd.te @@ -49,9 +49,11 @@ allow installd dalvikcache_profiles_data_file:dir rw_dir_perms; allow installd dalvikcache_profiles_data_file:file create_file_perms; # Upgrade from unlabeled userdata. -# Just need enough to relabel it. -allow installd unlabeled:dir { getattr search relabelfrom }; -allow installd unlabeled:notdevfile_class_set { getattr relabelfrom }; +# Just need enough to remove and/or relabel it. +allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir }; +allow installd unlabeled:notdevfile_class_set { getattr relabelfrom rename unlink setattr }; +# Read pkg.apk file for input during dexopt. +allow installd unlabeled:file r_file_perms; # Upgrade from before system_app_data_file was used for system UID apps. # Just need enough to relabel it and to unlink removed package files. diff --git a/system_server.te b/system_server.te index 4b8e384..50c9d98 100644 --- a/system_server.te +++ b/system_server.te @@ -227,6 +227,11 @@ allow system_server zoneinfo_data_file:file create_file_perms; # Walk /data/data subdirectories. # Types extracted from seapp_contexts type= fields. allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search }; +# Also permit for unlabeled /data/data subdirectories and +# for unlabeled asec containers on upgrades from 4.2. +allow system_server unlabeled:dir r_dir_perms; +# Read pkg.apk file before it has been relabeled by vold. +allow system_server unlabeled:file r_file_perms; # Populate com.android.providers.settings/databases/settings.db. allow system_server system_app_data_file:dir create_dir_perms; @@ -71,10 +71,13 @@ allow vold ctl_fuse_prop:property_service set; allow vold asec_image_file:file create_file_perms; allow vold asec_image_file:dir rw_dir_perms; security_access_policy(vold) -allow vold asec_apk_file:dir { rw_dir_perms setattr relabelfrom }; +allow vold asec_apk_file:dir { rw_dir_perms setattr relabelfrom relabelto }; allow vold asec_public_file:dir { relabelto setattr }; -allow vold asec_apk_file:file { r_file_perms setattr relabelfrom }; +allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto }; allow vold asec_public_file:file { relabelto setattr }; +# restorecon files in asec containers created on 4.2 or earlier. +allow vold unlabeled:dir { r_dir_perms setattr relabelfrom }; +allow vold unlabeled:file { r_file_perms setattr relabelfrom }; # Handle wake locks (used for device encryption) wakelock_use(vold) |