Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / e3519d6c2a39e1abae38109d07fc23f9b0fcaf1d^1..e3519d6c2a39e1abae38109d07fc23f9b0fcaf1d / .
commite3519d6c2a39e1abae38109d07fc23f9b0fcaf1d[log] [tgz]
authorNick Kralevich <nnk@google.com>Tue May 13 21:15:41 2014 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Tue May 13 21:15:42 2014 +0000
treed89cf8da621aafb47d749b175b643232db742113
parentbc36ce1385f938d3d6c69d280e1cada8680f3115 [diff]
parentbaf49bd541a9df4f38bf917fbfc850569a4cae94 [diff]
Merge "Label /data/.layout_version with its own type."
diff --git a/file.te b/file.te
index 4f75d37..ac4220f 100644
--- a/file.te
+++ b/file.te

@@ -41,6 +41,9 @@
 type system_file, file_type;
 # Default type for anything under /data.
 type system_data_file, file_type, data_file_type;
+# /data/.layout_version or other installd-created files that
+# are created in a system_data_file directory.
+type install_data_file, file_type, data_file_type;
 # /data/drm - DRM plugin data
 type drm_data_file, file_type, data_file_type;
 # /data/anr - ANR traces

diff --git a/file_contexts b/file_contexts
index ce26390..0926d74 100644
--- a/file_contexts
+++ b/file_contexts

@@ -164,6 +164,7 @@
 # Data files
 #
 /data(/.*)?		u:object_r:system_data_file:s0
+/data/.layout_version		u:object_r:install_data_file:s0
 /data/backup(/.*)?		u:object_r:backup_data_file:s0
 /data/secure/backup(/.*)?	u:object_r:backup_data_file:s0
 /data/security(/.*)?	u:object_r:security_file:s0

diff --git a/installd.te b/installd.te
index 8f332b2..cabebc6 100644
--- a/installd.te
+++ b/installd.te

@@ -31,7 +31,8 @@
 allow installd media_rw_data_file:dir relabelto;
 
 # Create /data/.layout_version.* file
-allow installd system_data_file:file create_file_perms;
+type_transition installd system_data_file:file install_data_file;
+allow installd install_data_file:file create_file_perms;
 
 # Create files under /data/dalvik-cache.
 allow installd dalvikcache_data_file:dir create_dir_perms;
@@ -49,9 +50,9 @@
 allow installd unlabeled:notdevfile_class_set { getattr relabelfrom };
 
 # Upgrade from before system_app_data_file was used for system UID apps.
-# Just need enough to relabel it.
+# Just need enough to relabel it and to unlink removed package files.
 # Directory access covered by earlier rule above.
-allow installd system_data_file:notdevfile_class_set { getattr relabelfrom };
+allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlink };
 
 # Manage /data/data subdirectories, including initially labeling them
 # upon creation via setfilecon or running restorecon_recursive,