diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil index c56bfaeec..f28757ee5 100644 --- a/private/compat/29.0/29.0.ignore.cil +++ b/private/compat/29.0/29.0.ignore.cil @@ -45,6 +45,7 @@ hal_rebootescrow_service hal_tv_tuner_hwservice hal_vibrator_service + incremental_control_file incremental_service init_perf_lsm_hooks_prop init_svc_debug_prop diff --git a/private/file_contexts b/private/file_contexts index a35cfb4ac..3955708ba 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -611,7 +611,9 @@ /data/misc_ce/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0 # Incremental directories -/data/incremental(/.*)? u:object_r:apk_data_file:s0 +/data/incremental(/.*)? u:object_r:apk_data_file:s0 +/data/incremental/MT_[^/]+/mount/.pending_reads u:object_r:incremental_control_file:s0 +/data/incremental/MT_[^/]+/mount/.log u:object_r:incremental_control_file:s0 ############################# # Expanded data files diff --git a/private/priv_app.te b/private/priv_app.te index 74930ee27..75e9732a9 100644 --- a/private/priv_app.te +++ b/private/priv_app.te @@ -146,6 +146,10 @@ dontaudit priv_app { wifi_prop exported_wifi_prop }:file read; allow priv_app system_server:udp_socket { connect getattr read recvfrom sendto write getopt setopt }; +# allow apps like Phonesky to check the file signature of an apk installed on +# the Incremental File System +allowxperm priv_app apk_data_file:file ioctl INCFS_IOCTL_READ_SIGNATURE; + ### ### neverallow rules ### diff --git a/private/system_app.te b/private/system_app.te index 1432017e6..9789a5226 100644 --- a/private/system_app.te +++ b/private/system_app.te @@ -72,6 +72,9 @@ allow system_app asec_apk_file:file r_file_perms; # Allow system_app (adb data loader) to write data to /data/incremental allow system_app apk_data_file:file write; +# Allow system app (adb data loader) to read logs +allow system_app incremental_control_file:file r_file_perms; + # Allow system apps (like Settings) to interact with statsd binder_call(system_app, statsd) diff --git a/private/system_server.te b/private/system_server.te index 9eea579db..ef527fd94 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -24,6 +24,13 @@ allow system_server appdomain_tmpfs:file { getattr map read write }; # For Incremental Service to check if incfs is available allow system_server proc_filesystems:file r_file_perms; +# To create files on Incremental File System +allow system_server incremental_control_file:file { ioctl r_file_perms }; +allowxperm system_server incremental_control_file:file ioctl INCFS_IOCTL_CREATE_FILE; + +# To get signature of an APK installed on Incremental File System +allowxperm system_server apk_data_file:file ioctl INCFS_IOCTL_READ_SIGNATURE; + # For art. allow system_server dalvikcache_data_file:dir r_dir_perms; allow system_server dalvikcache_data_file:file r_file_perms; diff --git a/public/file.te b/public/file.te index ddae67894..0585afd01 100644 --- a/public/file.te +++ b/public/file.te @@ -186,6 +186,8 @@ type vendor_task_profiles_file, vendor_file_type, file_type; type art_apex_dir, system_file_type, file_type; # /linkerconfig(/.*)? type linkerconfig_file, file_type; +# Control files under /data/incremental +type incremental_control_file, file_type, data_file_type, core_data_file_type; # Default type for directories search for # HAL implementations diff --git a/public/ioctl_defines b/public/ioctl_defines index b2a6fbf9a..4eeeb4e37 100644 --- a/public/ioctl_defines +++ b/public/ioctl_defines @@ -1055,6 +1055,8 @@ define(`IMGETDEVINFO', `0x80044944') define(`IMGETVERSION', `0x80044942') define(`IMHOLD_L1', `0x80044948') define(`IMSETDEVNAME', `0x80184947') +define(`INCFS_IOCTL_CREATE_FILE', `0x0000671e') +define(`INCFS_IOCTL_READ_SIGNATURE', `0x0000671f') define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501') define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502') define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500') diff --git a/public/vold.te b/public/vold.te index 1ddd19e16..fd3ed84a9 100644 --- a/public/vold.te +++ b/public/vold.te @@ -132,6 +132,8 @@ allow vold apk_data_file:dir { mounton rw_dir_perms }; allow vold apk_data_file:file rw_file_perms; # Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files allow vold apk_tmp_file:dir { mounton r_dir_perms }; +# Allow to read incremental control file and call selinux restorecon on it +allow vold incremental_control_file:file { r_file_perms relabelto }; allow vold tmpfs:filesystem { mount unmount }; allow vold tmpfs:dir create_dir_perms;