From 7672eac5fb0d0ce3bcb52f11b125b25ac597ea3f Mon Sep 17 00:00:00 2001
From: rpcraig <rpcraig@tycho.ncsc.mil>
Date: Mon, 22 Oct 2012 13:50:01 -0400
Subject: [PATCH] Add SELinux policy for asec containers.

Creates 2 new types:
- asec_apk_file : files found under /mnt/asec
                  when the asec images are mounted
- asec_image_file : the actual encrypted apks under
                    /data/app-asec

Change-Id: I963472add1980ac068d3a6d36a24f27233022832
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
---
 app.te        |  5 +++++
 domain.te     |  1 +
 file.te       |  5 ++++-
 file_contexts |  3 ++-
 installd.te   |  4 ++++
 vold.te       | 13 ++++++++++---
 6 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/app.te b/app.te
index 1540f08b8..22a393e24 100644
--- a/app.te
+++ b/app.te
@@ -26,6 +26,9 @@ allow platform_app shell_data_file:lnk_file read;
 allow platform_app apk_tmp_file:file rw_file_perms;
 # Read /dev/xt_qtaguid
 allow platform_app qtaguid_device:chr_file r_file_perms;
+# ASEC
+allow platform_app asec_apk_file:dir create_dir_perms;
+allow platform_app asec_apk_file:file create_file_perms;
 
 # Apps signed with the media key.
 type media_app, domain;
@@ -53,6 +56,8 @@ net_domain(shared_app)
 bluetooth_domain(shared_app)
 # Read logs.
 allow shared_app log_device:chr_file read;
+# ASEC
+r_dir_file(shared_app, asec_apk_file);
 
 # Apps signed with the release key (testkey in AOSP).
 type release_app, domain;
diff --git a/domain.te b/domain.te
index 47ad05a3a..96f971c84 100644
--- a/domain.te
+++ b/domain.te
@@ -54,6 +54,7 @@ allow domain urandom_device:chr_file r_file_perms;
 
 # Filesystem accesses.
 allow domain fs_type:filesystem getattr;
+allow domain fs_type:dir getattr;
 
 # System file accesses.
 allow domain system_file:dir r_dir_perms;
diff --git a/file.te b/file.te
index 451ad1dad..70100a955 100644
--- a/file.te
+++ b/file.te
@@ -32,7 +32,6 @@ type anr_data_file, file_type, data_file_type, mlstrustedobject;
 type tombstone_data_file, file_type, data_file_type;
 # /data/app - user-installed apps
 type apk_data_file, file_type, data_file_type;
-type asec_data_file, file_type, data_file_type;
 type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
 # /data/dalvik-cache
 type dalvikcache_data_file, file_type, data_file_type;
@@ -59,6 +58,10 @@ type cache_file, file_type, mlstrustedobject;
 type efs_file, file_type;
 # Type for wallpaper file.
 type wallpaper_file, file_type, mlstrustedobject;
+# /mnt/asec
+type asec_apk_file, file_type, data_file_type;
+# /data/app-asec
+type asec_image_file, file_type, data_file_type;
 
 # All devices have bluetooth efs files. But they
 # vary per device, so this type is used in per
diff --git a/file_contexts b/file_contexts
index 8876bfe96..713da7991 100644
--- a/file_contexts
+++ b/file_contexts
@@ -152,4 +152,5 @@
 /sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
 #############################
 # asec containers
-/mnt/asec(/.*)?         u:object_r:asec_data_file:s0
+/mnt/asec(/.*)?         u:object_r:asec_apk_file:s0
+/data/app-asec(/.*)?    u:object_r:asec_image_file:s0
diff --git a/installd.te b/installd.te
index 2a87eb7b1..553127c00 100644
--- a/installd.te
+++ b/installd.te
@@ -20,3 +20,7 @@ dontaudit installd self:capability sys_admin;
 selinux_check_context(installd)
 # Read /seapp_contexts, presently on the rootfs.
 allow installd rootfs:file r_file_perms;
+# ASEC
+allow installd platform_app_data_file:lnk_file { create setattr };
+allow installd app_data_file:lnk_file { create setattr };
+allow installd asec_apk_file:file r_file_perms;
diff --git a/vold.te b/vold.te
index 86dbbb7a7..60d6a3729 100644
--- a/vold.te
+++ b/vold.te
@@ -16,7 +16,7 @@ allow vold sdcard:dir create_dir_perms;
 allow vold tmpfs:filesystem { mount unmount };
 allow vold tmpfs:dir create_dir_perms;
 allow vold tmpfs:dir mounton;
-allow vold self:capability { net_admin dac_override mknod sys_admin };
+allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
 allow vold self:netlink_kobject_uevent_socket *;
 allow vold app_data_file:dir search;
 allow vold app_data_file:file rw_file_perms;
@@ -39,7 +39,7 @@ allow vold sysfs:file rw_file_perms;
 unix_socket_connect(vold, property, init)
 
 # Unmount and mount the fs.
-allow vold labeledfs:filesystem { mount unmount };
+allow vold labeledfs:filesystem { mount unmount remount };
 
 # Access /efs/userdata_footer.
 # XXX Split into a separate type?
@@ -53,7 +53,14 @@ allow vold kernel:system module_request;
 allow vold proc:file write;
 
 # Create and mount on /data/tmp_mnt.
-allow vold system_data_file:dir { open read write create add_name mounton };
+allow vold system_data_file:dir { rw_dir_perms mounton };
 
 # Property Service
 allow vold vold_prop:property_service set;
+
+# ASEC
+allow vold asec_image_file:file create_file_perms;
+allow vold asec_image_file:dir rw_dir_perms;
+allow vold rootfs:file r_file_perms;
+allow vold asec_apk_file:dir { rw_dir_perms setattr };
+allow vold asec_apk_file:file { r_file_perms setattr };