drop_caches label, vold scratch space on expanded.
Define an explicit label for /proc/sys/vm/drop_caches and grant to
the various people who need it, including vold which uses it when
performing storage benchmarks.
Also let vold create new directories under it's private storage area
where the benchmarks will be carried out. Mirror the definition of
the private storage area on expanded media.
avc: denied { write } for name="drop_caches" dev="proc" ino=20524 scontext=u:r:vold:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=0
Bug: 21172095
Change-Id: I300b1cdbd235ff60e64064d3ba6e5ea783baf23f
diff --git a/file.te b/file.te
index 3bbf9a5..5e8687a 100644
--- a/file.te
+++ b/file.te
@@ -6,6 +6,8 @@
type proc, fs_type;
# Security-sensitive proc nodes that should not be writable to most.
type proc_security, fs_type;
+# Type for /proc/sys/vm/drop_caches
+type proc_drop_caches, fs_type;
# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
type usermodehelper, fs_type, sysfs_type;
type qtaguid_proc, fs_type, mlstrustedobject;
diff --git a/file_contexts b/file_contexts
index 1c6b56c..9f895da 100644
--- a/file_contexts
+++ b/file_contexts
@@ -267,6 +267,7 @@
/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/mnt/expand/[^/]+/local/tmp(/.*)? u:object_r:shell_data_file:s0
/mnt/expand/[^/]+/media(/.*)? u:object_r:media_rw_data_file:s0
+/mnt/expand/[^/]+/misc/vold(/.*)? u:object_r:vold_data_file:s0
# coredump directory for userdebug/eng devices
/cores(/.*)? u:object_r:coredump_file:s0
diff --git a/genfs_contexts b/genfs_contexts
index f796786..cdf65bc 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -20,6 +20,7 @@
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
genfscon proc /sys/net u:object_r:proc_net:s0
genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
+genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
diff --git a/install_recovery.te b/install_recovery.te
index 1385220..2d80b08 100644
--- a/install_recovery.te
+++ b/install_recovery.te
@@ -23,6 +23,4 @@
allow install_recovery cache_file:file create_file_perms;
# Write to /proc/sys/vm/drop_caches
-# TODO: create a specific label for this file instead of allowing
-# write for all /proc files.
-allow install_recovery proc:file w_file_perms;
+allow install_recovery proc_drop_caches:file w_file_perms;
diff --git a/recovery.te b/recovery.te
index 29f1a50..2aad68b 100644
--- a/recovery.te
+++ b/recovery.te
@@ -41,8 +41,7 @@
allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
# Write to /proc/sys/vm/drop_caches
- # TODO: create more specific label?
- allow recovery proc:file w_file_perms;
+ allow recovery proc_drop_caches:file w_file_perms;
# Write to /sys/class/android_usb/android0/enable.
# TODO: create more specific label?
diff --git a/vold.te b/vold.te
index 191b63c..1a1913e 100644
--- a/vold.te
+++ b/vold.te
@@ -144,8 +144,11 @@
allow vold unencrypted_data_file:{ file lnk_file } create_file_perms;
allow vold unencrypted_data_file:dir create_dir_perms;
+# Write to /proc/sys/vm/drop_caches
+allow vold proc_drop_caches:file w_file_perms;
+
# Give vold a place where only vold can store files; everyone else is off limits
-allow vold vold_data_file:dir rw_dir_perms;
+allow vold vold_data_file:dir create_dir_perms;
allow vold vold_data_file:file create_file_perms;
neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto };