Merge "drop_caches label, vold scratch space on expanded." into mnc-dev
diff --git a/file.te b/file.te
index 3bbf9a5..5e8687a 100644
--- a/file.te
+++ b/file.te
@@ -6,6 +6,8 @@
type proc, fs_type;
# Security-sensitive proc nodes that should not be writable to most.
type proc_security, fs_type;
+# Type for /proc/sys/vm/drop_caches
+type proc_drop_caches, fs_type;
# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
type usermodehelper, fs_type, sysfs_type;
type qtaguid_proc, fs_type, mlstrustedobject;
diff --git a/file_contexts b/file_contexts
index 1c6b56c..9f895da 100644
--- a/file_contexts
+++ b/file_contexts
@@ -267,6 +267,7 @@
/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/mnt/expand/[^/]+/local/tmp(/.*)? u:object_r:shell_data_file:s0
/mnt/expand/[^/]+/media(/.*)? u:object_r:media_rw_data_file:s0
+/mnt/expand/[^/]+/misc/vold(/.*)? u:object_r:vold_data_file:s0
# coredump directory for userdebug/eng devices
/cores(/.*)? u:object_r:coredump_file:s0
diff --git a/genfs_contexts b/genfs_contexts
index f796786..cdf65bc 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -20,6 +20,7 @@
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
genfscon proc /sys/net u:object_r:proc_net:s0
genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
+genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
diff --git a/install_recovery.te b/install_recovery.te
index 1385220..2d80b08 100644
--- a/install_recovery.te
+++ b/install_recovery.te
@@ -23,6 +23,4 @@
allow install_recovery cache_file:file create_file_perms;
# Write to /proc/sys/vm/drop_caches
-# TODO: create a specific label for this file instead of allowing
-# write for all /proc files.
-allow install_recovery proc:file w_file_perms;
+allow install_recovery proc_drop_caches:file w_file_perms;
diff --git a/recovery.te b/recovery.te
index 29f1a50..2aad68b 100644
--- a/recovery.te
+++ b/recovery.te
@@ -41,8 +41,7 @@
allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
# Write to /proc/sys/vm/drop_caches
- # TODO: create more specific label?
- allow recovery proc:file w_file_perms;
+ allow recovery proc_drop_caches:file w_file_perms;
# Write to /sys/class/android_usb/android0/enable.
# TODO: create more specific label?
diff --git a/vold.te b/vold.te
index 191b63c..1a1913e 100644
--- a/vold.te
+++ b/vold.te
@@ -144,8 +144,11 @@
allow vold unencrypted_data_file:{ file lnk_file } create_file_perms;
allow vold unencrypted_data_file:dir create_dir_perms;
+# Write to /proc/sys/vm/drop_caches
+allow vold proc_drop_caches:file w_file_perms;
+
# Give vold a place where only vold can store files; everyone else is off limits
-allow vold vold_data_file:dir rw_dir_perms;
+allow vold vold_data_file:dir create_dir_perms;
allow vold vold_data_file:file create_file_perms;
neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto };