Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 12b7ccd8f78df8cbd2e35218f39a716634051938^! / .
commit12b7ccd8f78df8cbd2e35218f39a716634051938[log] [tgz]
authorMohammad Samiul Islam <samiul@google.com>Fri Jan 22 21:04:10 2021 +0000
committerMohammad Islam <samiul@google.com>Mon Feb 01 13:39:44 2021 +0000
tree9902a408d1572cdc9a4bf79e7e4fcae98b38bdbc
parentbbb67dbbca1f4f5b1782778a22d478e9ed75efaa [diff]
Allow apexd to relabel files in /data/apex/decompressed

We have created a new directory called /data/apex/decompressed. All
files under this directory will have staging_data_file label, but
the directory itself needs to have apex_data_file label. This is
because apexd needs to write inside this directory and we don't want
to give apexd write access to staging_data_file label.

When a file is written under this directory, it gets its parent's label.
So we need to restore the proper labeling. Hence, we are allowing apexd
labeling permissions.

Bug: 172911820
Test: atest ApexCompressionTests#testCompressedApexIsActivated
Change-Id: I0a910fa5591b2aace70804701545eb4ac510ec24

diff --git a/private/apexd.te b/private/apexd.te
index c3da0fe..f6e8058 100644
--- a/private/apexd.te
+++ b/private/apexd.te

@@ -5,6 +5,8 @@
 # Allow creating, reading and writing of APEX files/dirs in the APEX data dir
 allow apexd apex_data_file:dir create_dir_perms;
 allow apexd apex_data_file:file create_file_perms;
+# Allow relabeling file created in /data/apex/decompressed
+allow apexd apex_data_file:file relabelfrom;
 
 # Allow creating, reading and writing of APEX files/dirs in the APEX metadata dir
 allow apexd metadata_file:dir search;
@@ -78,6 +80,8 @@
 # allow apexd to read files from /data/app-staging and hardlink them to /data/apex.
 allow apexd staging_data_file:dir r_dir_perms;
 allow apexd staging_data_file:file { r_file_perms link };
+# # Allow relabeling file created in /data/apex/decompressed
+allow apexd staging_data_file:file relabelto;
 
 # allow apexd to read files from /vendor/apex
 allow apexd vendor_apex_file:dir r_dir_perms;

diff --git a/private/file_contexts b/private/file_contexts
index 7aeba99..2a76712 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -518,6 +518,7 @@
 /data/apex(/.*)?		u:object_r:apex_data_file:s0
 /data/apex/active/(.*)?		u:object_r:staging_data_file:s0
 /data/apex/backup/(.*)?		u:object_r:staging_data_file:s0
+/data/apex/decompressed/(.*)?    u:object_r:staging_data_file:s0
 /data/app(/.*)?                       u:object_r:apk_data_file:s0
 # Traditional /data/app/[packageName]-[randomString]/base.apk location
 /data/app/[^/]+/oat(/.*)?                u:object_r:dalvikcache_data_file:s0