commit 53c76a25bbf9266178b61d157c7f4f9efb6b36d5
author Alan Stokes <alanstokes@google.com> Tue Feb 08 15:44:06 2022 +0000
committer Alan Stokes <alanstokes@google.com> Tue Feb 08 16:07:08 2022 +0000
tree 0a1b431b1772a568551af5f545a0b40ddf085e8b
parent e335de9aeb94eb29c3fabad695dfc66f041d1eca

Support legacy apexdata labels

This partly reverts fa10a14fac28f9c407b4ff800972f9cef75fcf35. There we
removed individual labels for various apexdata labels, replacing them
with apex_system_server_data_file.

Unfortunately that doesn't handle upgrade scenarios well, e.g. when
updating system but keeping the old vendor sepolicy. The directories
keep their old labels, and vold_prepare_subdirs is unable to relabel
them as there is no policy to allow it to.

So we bring back the legacy labels, in private not public, and add the
rules needed to ensure system_server and vold_prepare_subdirs have the
access they need. All the other access needed is obtained via the
apex_data_file_type attribute.

Bug: 217581286
Test: Reset labels using chcon, reboot, directories are relabeled, no denials
Change-Id: If696882450f2634e382f217dab8f9f3882bff03f

private/file.te

diff --git a/private/file.te b/private/file.te
index 5b6170f..759fede 100644
--- a/private/file.te
+++ b/private/file.te
@@ -54,6 +54,13 @@
 # /data/misc/apexdata/com.android.compos
 type apex_compos_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
 
+# legacy labels for various /data/misc[_ce|_de]/*/apexdata directories - retained
+# for backward compatibility b/217581286
+type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+type apex_permission_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+type apex_wifi_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+
 # /data/font/files
 type font_data_file, file_type, data_file_type, core_data_file_type;
 

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 1e79932..1cf7ac4 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1329,6 +1329,19 @@
 # These are modules where the code runs in system_server, so we need full access.
 allow system_server apex_system_server_data_file:dir create_dir_perms;
 allow system_server apex_system_server_data_file:file create_file_perms;
+# Legacy labels that we still need to support (b/217581286)
+allow system_server {
+  apex_appsearch_data_file
+  apex_permission_data_file
+  apex_scheduling_data_file
+  apex_wifi_data_file
+}:dir create_dir_perms;
+allow system_server {
+  apex_appsearch_data_file
+  apex_permission_data_file
+  apex_scheduling_data_file
+  apex_wifi_data_file
+}:file create_file_perms;
 
 # Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
 # communicate which slots are available for use.

private/vold_prepare_subdirs.te

diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index c6d482a..e4004e4 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -48,6 +48,15 @@
 allow vold_prepare_subdirs mnt_expand_file:dir search;
 allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom };
 allow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto };
+
+# Migrate legacy labels to apex_system_server_data_file (b/217581286)
+allow vold_prepare_subdirs {
+  apex_appsearch_data_file
+  apex_permission_data_file
+  apex_scheduling_data_file
+  apex_wifi_data_file
+}:dir relabelfrom;
+
 # /data/misc is unlabeled during early boot.
 allow vold_prepare_subdirs unlabeled:dir search;