Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 9cd93e48da9d3aa8f337ba18ca9473606f61dec4^1..9cd93e48da9d3aa8f337ba18ca9473606f61dec4 / .
commit9cd93e48da9d3aa8f337ba18ca9473606f61dec4[log] [tgz]
authorTianjie Xu <xunchang@google.com>Fri Oct 15 21:19:26 2021 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Fri Oct 15 21:19:26 2021 +0000
tree9d20c4f69302743fbd1cd831ec4a425f8338177c
parent29dc02c04417ba76bf079d9414d51a992d892c4a [diff]
parentb729aa6c5e0eafc381865d40e827c18b6ab2b832 [diff]
Merge "Add context for checkin directory"
diff --git a/private/app.te b/private/app.te
index 2b3554f..8477133 100644
--- a/private/app.te
+++ b/private/app.te

@@ -103,3 +103,7 @@
   -system_data_file # shared libs in apks
   -apk_data_file
 }:file no_x_file_perms;
+
+# For now, don't allow apps other than gmscore to access /data/misc_ce/<userid>/checkin
+neverallow { appdomain -gmscore_app } checkin_data_file:dir *;
+neverallow { appdomain -gmscore_app } checkin_data_file:file *;

diff --git a/private/file.te b/private/file.te
index 7e0bdd2..f2d3f56 100644
--- a/private/file.te
+++ b/private/file.te

@@ -30,6 +30,9 @@
 # of application data.
 type rollback_data_file, file_type, data_file_type, core_data_file_type;
 
+# /data/misc_ce/checkin for checkin apps.
+type checkin_data_file, file_type, data_file_type, core_data_file_type;
+
 # /data/gsi/ota
 type ota_image_data_file, file_type, data_file_type, core_data_file_type;
 

diff --git a/private/file_contexts b/private/file_contexts
index bc75fd3..55b9e41 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -658,6 +658,9 @@
 /data/misc_de/[0-9]+/storaged(/.*)?       u:object_r:storaged_data_file:s0
 /data/misc_ce/[0-9]+/storaged(/.*)?       u:object_r:storaged_data_file:s0
 
+# checkin data files
+/data/misc_ce/[0-9]+/checkin(/.*)? u:object_r:checkin_data_file:s0
+
 # Fingerprint data
 /data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
 

diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 571d155..799d7ff 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te

@@ -121,6 +121,10 @@
 allow gmscore_app ota_package_file:dir rw_dir_perms;
 allow gmscore_app ota_package_file:file create_file_perms;
 
+# Write the checkin metadata to /data/misc_ce/<userid>/checkin
+allow gmscore_app checkin_data_file:dir rw_dir_perms;
+allow gmscore_app checkin_data_file:file create_file_perms;
+
 # Used by Finsky / Android "Verify Apps" functionality when
 # running "adb install foo.apk".
 allow gmscore_app shell_data_file:file r_file_perms;

diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index ad7e6bb..c6d482a 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te

@@ -20,6 +20,7 @@
     apex_module_data_file
     apex_rollback_data_file
     backup_data_file
+    checkin_data_file
     face_vendor_data_file
     fingerprint_vendor_data_file
     iris_vendor_data_file
@@ -34,6 +35,7 @@
     apex_module_data_file
     apex_rollback_data_file
     backup_data_file
+    checkin_data_file
     face_vendor_data_file
     fingerprint_vendor_data_file
     iris_vendor_data_file