Merge "Refactor apex data file types."
diff --git a/private/apexd.te b/private/apexd.te
index b923cdb..d9017cb 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -18,20 +18,12 @@
allow apexd apex_ota_reserved_file:file create_file_perms;
# Allow apexd to create files and directories for snapshots of apex data
-allow apexd apex_appsearch_data_file:dir { create_dir_perms relabelto };
-allow apexd apex_appsearch_data_file:file { create_file_perms relabelto };
-allow apexd apex_art_data_file:dir { create_dir_perms relabelto };
-allow apexd apex_art_data_file:file { create_file_perms relabelto };
-allow apexd apex_permission_data_file:dir { create_dir_perms relabelto };
-allow apexd apex_permission_data_file:file { create_file_perms relabelto };
+allow apexd apex_data_file_type:dir { create_dir_perms relabelto };
+allow apexd apex_data_file_type:file { create_file_perms relabelto };
allow apexd apex_module_data_file:dir { create_dir_perms relabelfrom };
allow apexd apex_module_data_file:file { create_file_perms relabelfrom };
allow apexd apex_rollback_data_file:dir create_dir_perms;
allow apexd apex_rollback_data_file:file create_file_perms;
-allow apexd apex_scheduling_data_file:dir { create_dir_perms relabelto };
-allow apexd apex_scheduling_data_file:file { create_file_perms relabelto };
-allow apexd apex_wifi_data_file:dir { create_dir_perms relabelto };
-allow apexd apex_wifi_data_file:file { create_file_perms relabelto };
# Allow apexd to read directories under /data/misc_de in order to snapshot and
# restore apex data for all users.
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index c943973..0eb5e64 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -14,6 +14,7 @@
apex_info_file
apex_ota_reserved_file
apex_scheduling_data_file
+ apex_system_server_data_file
apexd_config_prop
app_hibernation_service
appcompat_data_file
diff --git a/private/compat/31.0/31.0.cil b/private/compat/31.0/31.0.cil
index 1176046..c33bc73 100644
--- a/private/compat/31.0/31.0.cil
+++ b/private/compat/31.0/31.0.cil
@@ -1,3 +1,9 @@
+;; types removed from current policy
+(type apex_appsearch_data_file)
+(type apex_permission_data_file)
+(type apex_scheduling_data_file)
+(type apex_wifi_data_file)
+
(expandtypeattribute (DockObserver_service_31_0) true)
(expandtypeattribute (IProxyService_service_31_0) true)
(expandtypeattribute (aac_drc_prop_31_0) true)
@@ -1250,18 +1256,18 @@
(typeattributeset alarm_service_31_0 (alarm_service))
(typeattributeset anr_data_file_31_0 (anr_data_file))
(typeattributeset apc_service_31_0 (apc_service))
-(typeattributeset apex_appsearch_data_file_31_0 (apex_appsearch_data_file))
+(typeattributeset apex_appsearch_data_file_31_0 (apex_appsearch_data_file apex_system_server_data_file))
(typeattributeset apex_data_file_31_0 (apex_data_file))
(typeattributeset apex_info_file_31_0 (apex_info_file))
(typeattributeset apex_metadata_file_31_0 (apex_metadata_file))
(typeattributeset apex_mnt_dir_31_0 (apex_mnt_dir))
(typeattributeset apex_module_data_file_31_0 (apex_module_data_file))
(typeattributeset apex_ota_reserved_file_31_0 (apex_ota_reserved_file))
-(typeattributeset apex_permission_data_file_31_0 (apex_permission_data_file))
+(typeattributeset apex_permission_data_file_31_0 (apex_permission_data_file apex_system_server_data_file))
(typeattributeset apex_rollback_data_file_31_0 (apex_rollback_data_file))
-(typeattributeset apex_scheduling_data_file_31_0 (apex_scheduling_data_file))
+(typeattributeset apex_scheduling_data_file_31_0 (apex_scheduling_data_file apex_system_server_data_file))
(typeattributeset apex_service_31_0 (apex_service))
-(typeattributeset apex_wifi_data_file_31_0 (apex_wifi_data_file))
+(typeattributeset apex_wifi_data_file_31_0 (apex_wifi_data_file apex_system_server_data_file))
(typeattributeset apexd_31_0 (apexd))
(typeattributeset apexd_config_prop_31_0 (apexd_config_prop))
(typeattributeset apexd_exec_31_0 (apexd_exec))
diff --git a/private/file.te b/private/file.te
index 0f7e689..29ab8a9 100644
--- a/private/file.te
+++ b/private/file.te
@@ -43,7 +43,7 @@
type profcollectd_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/apexdata/com.android.art
-type apex_art_data_file, file_type, data_file_type, core_data_file_type;
+type apex_art_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
# /data/misc/apexdata/com.android.art/staging
type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 2ac0981..8e341de 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -568,9 +568,9 @@
/data/misc/a11ytrace(/.*)? u:object_r:accessibility_trace_data_file:s0
/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0
/data/misc/apexdata/com\.android\.art(/.*)? u:object_r:apex_art_data_file:s0
-/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
-/data/misc/apexdata/com\.android\.scheduling(/.*)? u:object_r:apex_scheduling_data_file:s0
-/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
+/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc/apexdata/com\.android\.scheduling(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
/data/misc/apns(/.*)? u:object_r:radio_data_file:s0
/data/misc/appcompat(/.*)? u:object_r:appcompat_data_file:s0
@@ -672,11 +672,11 @@
# Apex data directories
/data/misc_de/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
/data/misc_ce/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
-/data/misc_ce/[0-9]+/apexdata/com\.android\.appsearch(/.*)? u:object_r:apex_appsearch_data_file:s0
-/data/misc_de/[0-9]+/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
-/data/misc_ce/[0-9]+/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
-/data/misc_de/[0-9]+/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
-/data/misc_ce/[0-9]+/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
+/data/misc_ce/[0-9]+/apexdata/com\.android\.appsearch(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc_de/[0-9]+/apexdata/com\.android\.permission(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc_ce/[0-9]+/apexdata/com\.android\.permission(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc_de/[0-9]+/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc_ce/[0-9]+/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_system_server_data_file:s0
# Apex rollback directories
/data/misc_de/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
diff --git a/private/system_server.te b/private/system_server.te
index 5d685c3..0744bec 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1293,14 +1293,9 @@
# Allow the system server to manage relevant apex module data files.
allow system_server apex_module_data_file:dir { getattr search };
-allow system_server apex_appsearch_data_file:dir create_dir_perms;
-allow system_server apex_appsearch_data_file:file create_file_perms;
-allow system_server apex_permission_data_file:dir create_dir_perms;
-allow system_server apex_permission_data_file:file create_file_perms;
-allow system_server apex_scheduling_data_file:dir create_dir_perms;
-allow system_server apex_scheduling_data_file:file create_file_perms;
-allow system_server apex_wifi_data_file:dir create_dir_perms;
-allow system_server apex_wifi_data_file:file create_file_perms;
+# These are modules where the code runs in system_server, so we need full access.
+allow system_server apex_system_server_data_file:dir create_dir_perms;
+allow system_server apex_system_server_data_file:file create_file_perms;
# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
# communicate which slots are available for use.
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 956e94e..ad7e6bb 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -16,13 +16,9 @@
vendor_data_file
}:dir { open read write add_name remove_name rmdir relabelfrom };
allow vold_prepare_subdirs {
- apex_appsearch_data_file
- apex_art_data_file
+ apex_data_file_type
apex_module_data_file
- apex_permission_data_file
apex_rollback_data_file
- apex_scheduling_data_file
- apex_wifi_data_file
backup_data_file
face_vendor_data_file
fingerprint_vendor_data_file
@@ -33,14 +29,10 @@
vold_data_file
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
- apex_appsearch_data_file
- apex_art_data_file
+ apex_data_file_type
apex_art_staging_data_file
apex_module_data_file
- apex_permission_data_file
apex_rollback_data_file
- apex_scheduling_data_file
- apex_wifi_data_file
backup_data_file
face_vendor_data_file
fingerprint_vendor_data_file
diff --git a/public/attributes b/public/attributes
index 15c5000..e3ea547 100644
--- a/public/attributes
+++ b/public/attributes
@@ -399,3 +399,7 @@
# All types used for DSU metadata files.
attribute gsi_metadata_file_type;
+
+# Types used for module-specific APEX data directories under
+# /data/{misc,misc_ce,misc_de}/apexdata.
+attribute apex_data_file_type;
diff --git a/public/file.te b/public/file.te
index cfac66d..cf65c7d 100644
--- a/public/file.te
+++ b/public/file.te
@@ -386,13 +386,10 @@
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type, core_data_file_type;
-type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type;
+type apex_system_server_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
type apex_module_data_file, file_type, data_file_type, core_data_file_type;
type apex_ota_reserved_file, file_type, data_file_type, core_data_file_type;
-type apex_permission_data_file, file_type, data_file_type, core_data_file_type;
type apex_rollback_data_file, file_type, data_file_type, core_data_file_type;
-type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type;
-type apex_wifi_data_file, file_type, data_file_type, core_data_file_type;
type appcompat_data_file, file_type, data_file_type, core_data_file_type;
type audio_data_file, file_type, data_file_type, core_data_file_type;
type audioserver_data_file, file_type, data_file_type, core_data_file_type;