Add SELinux restorecon calls on ASEC containers.

This will allow fine-grained labeling of the
contents of ASEC containers. Some of the contents
need to be world readable and thus should be
distinguishable in policy.

Change-Id: Iefee74214d664acd262edecbb4f981d633ff96ce
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

2 files changed, 10 insertions, 1 deletions

diff --git a/Android.mk b/Android.mk
index d1488eb..fabc561 100644
--- a/Android.mk
+++ b/Android.mk
@@ -59,7 +59,8 @@ common_libraries := \
 	liblog \
 	libdiskconfig \
 	libext2_blkid \
-	liblogwrap
+	liblogwrap \
+	libselinux
 
 common_static_libraries := \
 	libfs_mgr \
diff --git a/VolumeManager.cpp b/VolumeManager.cpp
index 6c94b65..4d718ef 100644
--- a/VolumeManager.cpp
+++ b/VolumeManager.cpp
@@ -36,6 +36,8 @@
 #include <cutils/log.h>
 #include <cutils/properties.h>
 
+#include <selinux/android.h>
+
 #include <sysutils/NetlinkEvent.h>
 
 #include <private/android_filesystem_config.h>
@@ -619,6 +621,12 @@ int VolumeManager::fixupAsecPermissions(const char *id, gid_t gid, const char* f
             } else if (ftsent->fts_info & FTS_F) {
                 result |= fchmod(fd, privateFile ? 0640 : 0644);
             }
+
+            if (selinux_android_restorecon(ftsent->fts_path) < 0) {
+                SLOGE("restorecon failed for %s: %s\n", ftsent->fts_path, strerror(errno));
+                result |= -1;
+            }
+
             close(fd);
         }
         fts_close(fts);