Fix SELinux policies to allow resource overlays.
The following commits added support for runtime resource overlays.
New command line tool 'idmap'
* 65a05fd56dbc9fd9c2511a97f49c445a748fb3c5
Runtime resource overlay, iteration 2
* 48d22323ce39f9aab003dce74456889b6414af55
Runtime resource overlay, iteration 2, test cases
* ad6ed950dbfa152c193dd7e49c369d9e831f1591
During SELinux tightening, support for these runtime resource
overlays was unknowingly broken. Fix it.
This change has been tested by hackbod and she reports that
everything is working after this change. I haven't independently
verified the functionality.
Test cases are available for this by running:
* python frameworks/base/core/tests/overlaytests/testrunner.py
Change-Id: I1c70484011fd9041bec4ef34f93f7a5509906f40
diff --git a/app.te b/app.te
index 73febbc..df8ff81 100644
--- a/app.te
+++ b/app.te
@@ -141,6 +141,10 @@
# Allow apps to read/execute installed binaries
allow appdomain apk_data_file:file { rx_file_perms execmod };
+# /data/resource-cache
+allow appdomain resourcecache_data_file:file r_file_perms;
+allow appdomain resourcecache_data_file:dir r_dir_perms;
+
###
### CTS-specific rules
###
diff --git a/file.te b/file.te
index 1ea4a72..18bafa4 100644
--- a/file.te
+++ b/file.te
@@ -61,6 +61,8 @@
type dalvikcache_data_file, file_type, data_file_type;
# /data/dalvik-cache/profiles
type dalvikcache_profiles_data_file, file_type, data_file_type;
+# /data/resource-cache
+type resourcecache_data_file, file_type, data_file_type;
# /data/local - writable by shell
type shell_data_file, file_type, data_file_type;
# /data/gps
diff --git a/file_contexts b/file_contexts
index 8ea7f6d..82b8c1c 100644
--- a/file_contexts
+++ b/file_contexts
@@ -173,6 +173,7 @@
/data/system/ndebugsocket u:object_r:system_ndebug_socket:s0
/data/drm(/.*)? u:object_r:drm_data_file:s0
/data/gps(/.*)? u:object_r:gps_data_file:s0
+/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
/data/dalvik-cache/profiles(/.*)? u:object_r:dalvikcache_profiles_data_file:s0
/data/anr(/.*)? u:object_r:anr_data_file:s0
diff --git a/installd.te b/installd.te
index eed0343..5faa1ec 100644
--- a/installd.te
+++ b/installd.te
@@ -49,6 +49,10 @@
allow installd dalvikcache_profiles_data_file:dir rw_dir_perms;
allow installd dalvikcache_profiles_data_file:file create_file_perms;
+# Create files under /data/resource-cache.
+allow installd resourcecache_data_file:dir rw_dir_perms;
+allow installd resourcecache_data_file:file create_file_perms;
+
# Upgrade from unlabeled userdata.
# Just need enough to remove and/or relabel it.
allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
diff --git a/system_server.te b/system_server.te
index ffed556..5f2d691 100644
--- a/system_server.te
+++ b/system_server.te
@@ -15,6 +15,10 @@
# For art.
allow system_server dalvikcache_data_file:file execute;
+# /data/resource-cache
+allow system_server resourcecache_data_file:file r_file_perms;
+allow system_server resourcecache_data_file:dir r_dir_perms;
+
# ptrace to processes in the same domain for debugging crashes.
allow system_server self:process ptrace;
diff --git a/zygote.te b/zygote.te
index da3a037..c2a325e 100644
--- a/zygote.te
+++ b/zygote.te
@@ -24,6 +24,9 @@
# Write to /data/dalvik-cache.
allow zygote dalvikcache_data_file:dir create_dir_perms;
allow zygote dalvikcache_data_file:file create_file_perms;
+# Write to /data/resource-cache
+allow zygote resourcecache_data_file:dir rw_dir_perms;
+allow zygote resourcecache_data_file:file create_file_perms;
# For art.
allow zygote dalvikcache_data_file:file execute;
# Execute dexopt.