commit eab23895cd13ccb2a552dd9713bd1e88cf41e522
author Jean-Baptiste Queru <jbq@google.com> Thu Nov 01 14:21:26 2012 -0700
committer Android (Google) Code Review <android-gerrit@google.com> Thu Nov 01 14:21:26 2012 -0700
tree d9bb731b8453bc6cb739958491d56e04f0cf9257
parent 8c87a18d39db0104d97d72ed51e4654c9d29fd4b
parent 9ceb47b0c0f693e760d6ad0535f4a165491fa772

Merge "Revert "Include su.te only for userdebug/eng builds."" into jb-mr1-dev-plus-aosp

Android.mk

diff --git a/Android.mk b/Android.mk
index 2cc0f22..c023783 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1,7 +1,5 @@
 LOCAL_PATH:= $(call my-dir)
 
-include $(call all-makefiles-under,$(LOCAL_PATH))
-
 include $(CLEAR_VARS)
 
 # SELinux policy version.
@@ -80,18 +78,6 @@
 ###################################
 include $(CLEAR_VARS)
 
-LOCAL_MODULE := checkfc
-LOCAL_MODULE_TAGS := optional
-LOCAL_C_INCLUDES += external/libsepol/include external/libselinux/include
-LOCAL_SRC_FILES := checkfc.c
-LOCAL_STATIC_LIBRARIES := libsepol libselinux
-LOCAL_MODULE_CLASS := EXECUTABLES
-
-include $(BUILD_HOST_EXECUTABLE)
-
-##################################
-include $(CLEAR_VARS)
-
 LOCAL_MODULE := file_contexts
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_TAGS := optional
@@ -175,3 +161,5 @@
 
 build_policy :=
 sepolicy_replace_paths :=
+
+include $(call all-makefiles-under,$(LOCAL_PATH))

app.te

diff --git a/app.te b/app.te
index 1540f08..22a393e 100644
--- a/app.te
+++ b/app.te
@@ -26,6 +26,9 @@
 allow platform_app apk_tmp_file:file rw_file_perms;
 # Read /dev/xt_qtaguid
 allow platform_app qtaguid_device:chr_file r_file_perms;
+# ASEC
+allow platform_app asec_apk_file:dir create_dir_perms;
+allow platform_app asec_apk_file:file create_file_perms;
 
 # Apps signed with the media key.
 type media_app, domain;
@@ -53,6 +56,8 @@
 bluetooth_domain(shared_app)
 # Read logs.
 allow shared_app log_device:chr_file read;
+# ASEC
+r_dir_file(shared_app, asec_apk_file);
 
 # Apps signed with the release key (testkey in AOSP).
 type release_app, domain;

check_seapp/Android.mk

diff --git a/check_seapp/Android.mk b/check_seapp/Android.mk
deleted file mode 100644
index e4a4acc..0000000
--- a/check_seapp/Android.mk
+++ /dev/null
@@ -1,15 +0,0 @@
-##
-# checkseapp
-#
-
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := checkseapp
-LOCAL_MODULE_TAGS := optional
-LOCAL_C_INCLUDES := $(LOCAL_PATH)/../libsepol/include/ 
-LOCAL_CFLAGS := -DLINK_SEPOL_STATIC 
-LOCAL_SRC_FILES := check_seapp/check_seapp.c
-LOCAL_STATIC_LIBRARIES := libsepol
-LOCAL_MODULE_CLASS := EXECUTABLES
-
-include $(BUILD_HOST_EXECUTABLE)

domain.te

diff --git a/domain.te b/domain.te
index 47ad05a..96f971c 100644
--- a/domain.te
+++ b/domain.te
@@ -54,6 +54,7 @@
 
 # Filesystem accesses.
 allow domain fs_type:filesystem getattr;
+allow domain fs_type:dir getattr;
 
 # System file accesses.
 allow domain system_file:dir r_dir_perms;

file.te

diff --git a/file.te b/file.te
index 451ad1d..70100a9 100644
--- a/file.te
+++ b/file.te
@@ -32,7 +32,6 @@
 type tombstone_data_file, file_type, data_file_type;
 # /data/app - user-installed apps
 type apk_data_file, file_type, data_file_type;
-type asec_data_file, file_type, data_file_type;
 type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
 # /data/dalvik-cache
 type dalvikcache_data_file, file_type, data_file_type;
@@ -59,6 +58,10 @@
 type efs_file, file_type;
 # Type for wallpaper file.
 type wallpaper_file, file_type, mlstrustedobject;
+# /mnt/asec
+type asec_apk_file, file_type, data_file_type;
+# /data/app-asec
+type asec_image_file, file_type, data_file_type;
 
 # All devices have bluetooth efs files. But they
 # vary per device, so this type is used in per

file_contexts

diff --git a/file_contexts b/file_contexts
index 8876bfe..713da79 100644
--- a/file_contexts
+++ b/file_contexts
@@ -152,4 +152,5 @@
 /sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
 #############################
 # asec containers
-/mnt/asec(/.*)?         u:object_r:asec_data_file:s0
+/mnt/asec(/.*)?         u:object_r:asec_apk_file:s0
+/data/app-asec(/.*)?    u:object_r:asec_image_file:s0

installd.te

diff --git a/installd.te b/installd.te
index 2a87eb7..553127c 100644
--- a/installd.te
+++ b/installd.te
@@ -20,3 +20,7 @@
 selinux_check_context(installd)
 # Read /seapp_contexts, presently on the rootfs.
 allow installd rootfs:file r_file_perms;
+# ASEC
+allow installd platform_app_data_file:lnk_file { create setattr };
+allow installd app_data_file:lnk_file { create setattr };
+allow installd asec_apk_file:file r_file_perms;

tools/Android.mk

diff --git a/tools/Android.mk b/tools/Android.mk
new file mode 100644
index 0000000..8d61e25
--- /dev/null
+++ b/tools/Android.mk
@@ -0,0 +1,24 @@
+LOCAL_PATH:= $(call my-dir)
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := checkseapp
+LOCAL_MODULE_TAGS := optional
+LOCAL_C_INCLUDES := external/libsepol/include/
+LOCAL_CFLAGS := -DLINK_SEPOL_STATIC
+LOCAL_SRC_FILES := check_seapp.c
+LOCAL_STATIC_LIBRARIES := libsepol
+
+include $(BUILD_HOST_EXECUTABLE)
+
+###################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := checkfc
+LOCAL_MODULE_TAGS := optional
+LOCAL_C_INCLUDES := external/libsepol/include \
+                    external/libselinux/include
+LOCAL_SRC_FILES := checkfc.c
+LOCAL_STATIC_LIBRARIES := libsepol libselinux
+
+include $(BUILD_HOST_EXECUTABLE)

tools/check_seapp.c

diff --git a/check_seapp/check_seapp.c b/tools/check_seapp.c
similarity index 100%
rename from check_seapp/check_seapp.c
rename to tools/check_seapp.c

tools/checkfc.c

diff --git a/checkfc.c b/tools/checkfc.c
similarity index 100%
rename from checkfc.c
rename to tools/checkfc.c

vold.te

diff --git a/vold.te b/vold.te
index 86dbbb7..60d6a37 100644
--- a/vold.te
+++ b/vold.te
@@ -16,7 +16,7 @@
 allow vold tmpfs:filesystem { mount unmount };
 allow vold tmpfs:dir create_dir_perms;
 allow vold tmpfs:dir mounton;
-allow vold self:capability { net_admin dac_override mknod sys_admin };
+allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
 allow vold self:netlink_kobject_uevent_socket *;
 allow vold app_data_file:dir search;
 allow vold app_data_file:file rw_file_perms;
@@ -39,7 +39,7 @@
 unix_socket_connect(vold, property, init)
 
 # Unmount and mount the fs.
-allow vold labeledfs:filesystem { mount unmount };
+allow vold labeledfs:filesystem { mount unmount remount };
 
 # Access /efs/userdata_footer.
 # XXX Split into a separate type?
@@ -53,7 +53,14 @@
 allow vold proc:file write;
 
 # Create and mount on /data/tmp_mnt.
-allow vold system_data_file:dir { open read write create add_name mounton };
+allow vold system_data_file:dir { rw_dir_perms mounton };
 
 # Property Service
 allow vold vold_prop:property_service set;
+
+# ASEC
+allow vold asec_image_file:file create_file_perms;
+allow vold asec_image_file:dir rw_dir_perms;
+allow vold rootfs:file r_file_perms;
+allow vold asec_apk_file:dir { rw_dir_perms setattr };
+allow vold asec_apk_file:file { r_file_perms setattr };