Merge "Add missing services to service_contexts."
diff --git a/app.te b/app.te
index 73febbc..df8ff81 100644
--- a/app.te
+++ b/app.te
@@ -141,6 +141,10 @@
# Allow apps to read/execute installed binaries
allow appdomain apk_data_file:file { rx_file_perms execmod };
+# /data/resource-cache
+allow appdomain resourcecache_data_file:file r_file_perms;
+allow appdomain resourcecache_data_file:dir r_dir_perms;
+
###
### CTS-specific rules
###
diff --git a/attributes b/attributes
index 64de61a..613ed8f 100644
--- a/attributes
+++ b/attributes
@@ -11,6 +11,9 @@
# All types used for filesystems.
attribute fs_type;
+# All types used for context= mounts.
+attribute contextmount_type;
+
# All types used for files that can exist on a labeled fs.
# Do not use for pseudo file types.
attribute file_type;
diff --git a/domain.te b/domain.te
index b161467..6c800ab 100644
--- a/domain.te
+++ b/domain.te
@@ -259,3 +259,13 @@
# Only recovery should be doing writes to /system
neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
+
+# Restrict context mounts to specific types marked with
+# the contextmount_type attribute.
+neverallow domain {fs_type -contextmount_type}:filesystem relabelto;
+
+# Ensure that context mount types are not writable, to ensure that
+# the write to /system restriction above is not bypassed via context=
+# mount to another type.
+neverallow { domain -recovery } contextmount_type:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
diff --git a/file.te b/file.te
index 4e2b717..18bafa4 100644
--- a/file.te
+++ b/file.te
@@ -33,7 +33,7 @@
type debugfs, fs_type, mlstrustedobject;
type pstorefs, fs_type;
type functionfs, fs_type;
-type oemfs, fs_type;
+type oemfs, fs_type, contextmount_type;
type usbfs, fs_type;
# File types
@@ -61,6 +61,8 @@
type dalvikcache_data_file, file_type, data_file_type;
# /data/dalvik-cache/profiles
type dalvikcache_profiles_data_file, file_type, data_file_type;
+# /data/resource-cache
+type resourcecache_data_file, file_type, data_file_type;
# /data/local - writable by shell
type shell_data_file, file_type, data_file_type;
# /data/gps
diff --git a/file_contexts b/file_contexts
index 8ea7f6d..82b8c1c 100644
--- a/file_contexts
+++ b/file_contexts
@@ -173,6 +173,7 @@
/data/system/ndebugsocket u:object_r:system_ndebug_socket:s0
/data/drm(/.*)? u:object_r:drm_data_file:s0
/data/gps(/.*)? u:object_r:gps_data_file:s0
+/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
/data/dalvik-cache/profiles(/.*)? u:object_r:dalvikcache_profiles_data_file:s0
/data/anr(/.*)? u:object_r:anr_data_file:s0
diff --git a/init.te b/init.te
index 8421fa3..e4d1f88 100644
--- a/init.te
+++ b/init.te
@@ -10,8 +10,17 @@
allow init dev_type:blk_file rw_file_perms;
# Mounting filesystems.
-allow init fs_type:filesystem *;
-allow init unlabeled:filesystem *;
+# Only allow relabelto for types used in context= mount options,
+# which should all be assigned the contextmount_type attribute.
+# This can be done in device-specific policy via type or typeattribute
+# declarations.
+allow init fs_type:filesystem ~relabelto;
+allow init unlabeled:filesystem ~relabelto;
+allow init contextmount_type:filesystem relabelto;
+
+# Allow read-only access to context= mounted filesystems.
+allow init contextmount_type:dir r_dir_perms;
+allow init contextmount_type:notdevfile_class_set r_file_perms;
# restorecon and restorecon_recursive calls from init.rc files.
# system/core/init.rc requires at least cache_file and data_file_type.
diff --git a/installd.te b/installd.te
index eed0343..5faa1ec 100644
--- a/installd.te
+++ b/installd.te
@@ -49,6 +49,10 @@
allow installd dalvikcache_profiles_data_file:dir rw_dir_perms;
allow installd dalvikcache_profiles_data_file:file create_file_perms;
+# Create files under /data/resource-cache.
+allow installd resourcecache_data_file:dir rw_dir_perms;
+allow installd resourcecache_data_file:file create_file_perms;
+
# Upgrade from unlabeled userdata.
# Just need enough to remove and/or relabel it.
allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
diff --git a/recovery.te b/recovery.te
index df1e60d..c6c5417 100644
--- a/recovery.te
+++ b/recovery.te
@@ -17,8 +17,9 @@
# Mount filesystems.
allow recovery rootfs:dir mounton;
- allow recovery fs_type:filesystem *;
- allow recovery unlabeled:filesystem *;
+ allow recovery fs_type:filesystem ~relabelto;
+ allow recovery unlabeled:filesystem ~relabelto;
+ allow recovery contextmount_type:filesystem relabelto;
# Create and relabel files and directories under /system.
allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
diff --git a/system_server.te b/system_server.te
index ffed556..5f2d691 100644
--- a/system_server.te
+++ b/system_server.te
@@ -15,6 +15,10 @@
# For art.
allow system_server dalvikcache_data_file:file execute;
+# /data/resource-cache
+allow system_server resourcecache_data_file:file r_file_perms;
+allow system_server resourcecache_data_file:dir r_dir_perms;
+
# ptrace to processes in the same domain for debugging crashes.
allow system_server self:process ptrace;
diff --git a/unconfined.te b/unconfined.te
index 4dc30db..8e40b06 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -48,7 +48,8 @@
allow unconfineddomain domain:socket_class_set *;
allow unconfineddomain domain:ipc_class_set *;
allow unconfineddomain domain:key *;
-allow unconfineddomain {fs_type dev_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain {fs_type -contextmount_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain dev_type:{ dir lnk_file sock_file fifo_file } ~relabelto;
allow unconfineddomain {
file_type
-keystore_data_file
@@ -61,7 +62,12 @@
allow unconfineddomain exec_type:{ file dir lnk_file } ~{ create write setattr relabelfrom relabelto append unlink link rename };
allow unconfineddomain system_file:{ dir lnk_file } ~{ create write setattr relabelfrom relabelto append unlink link rename };
allow unconfineddomain system_file:file ~{ create write setattr relabelfrom relabelto append unlink link rename entrypoint };
-allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
+allow unconfineddomain {
+ fs_type
+ -usermodehelper
+ -proc_security
+ -contextmount_type
+}:{ chr_file file } ~{entrypoint execmod execute relabelto};
allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};
allow unconfineddomain {
file_type
@@ -73,6 +79,8 @@
-shell_data_file
}:{ chr_file file } ~{entrypoint execmod execute relabelto};
allow unconfineddomain { rootfs system_file exec_type }:file execute;
+allow unconfineddomain contextmount_type:dir r_dir_perms;
+allow unconfineddomain contextmount_type:notdevfile_class_set r_file_perms;
allow unconfineddomain node_type:node *;
allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
allow unconfineddomain netif_type:netif *;
diff --git a/zygote.te b/zygote.te
index da3a037..c2a325e 100644
--- a/zygote.te
+++ b/zygote.te
@@ -24,6 +24,9 @@
# Write to /data/dalvik-cache.
allow zygote dalvikcache_data_file:dir create_dir_perms;
allow zygote dalvikcache_data_file:file create_file_perms;
+# Write to /data/resource-cache
+allow zygote resourcecache_data_file:dir rw_dir_perms;
+allow zygote resourcecache_data_file:file create_file_perms;
# For art.
allow zygote dalvikcache_data_file:file execute;
# Execute dexopt.