From 7617cd48b7b67bfacab5f574064a1f3d2a4f82e1 Mon Sep 17 00:00:00 2001
From: Jeff Sharkey <jsharkey@android.com>
Date: Tue, 9 Jun 2015 11:01:04 -0700
Subject: [PATCH] New "selinux.restorecon" control property.

This new property is used as a control verb for running a recursive
restorecon at the path contained in the property value.

Defines a new label and grants access to vold, which invokes it when
mounting private adopted volumes.

Bug: 21121357
Change-Id: I8ff12a146e54a505aa5b43a542578891563d647a
---
 property.te       | 1 +
 property_contexts | 3 ++-
 vold.te           | 2 ++
 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/property.te b/property.te
index 94ae714bc..e046f4219 100644
--- a/property.te
+++ b/property.te
@@ -21,6 +21,7 @@ type ctl_bugreport_prop, property_type;
 type ctl_console_prop, property_type;
 type audio_prop, property_type;
 type logd_prop, property_type;
+type restorecon_prop, property_type;
 type security_prop, property_type;
 type bluetooth_prop, property_type;
 type pan_result_prop, property_type;
diff --git a/property_contexts b/property_contexts
index 18449108b..5bdb3c32c 100644
--- a/property_contexts
+++ b/property_contexts
@@ -41,7 +41,8 @@ persist.service.bdroid. u:object_r:bluetooth_prop:s0
 persist.security.       u:object_r:system_prop:s0
 
 # selinux non-persistent properties
-selinux.                u:object_r:security_prop:s0
+selinux.restorecon_recursive   u:object_r:restorecon_prop:s0
+selinux.                       u:object_r:security_prop:s0
 
 # default property context
 *                       u:object_r:default_prop:s0
diff --git a/vold.te b/vold.te
index 49815c882..af050c880 100644
--- a/vold.te
+++ b/vold.te
@@ -111,6 +111,7 @@ allow vold kernel:process setsched;
 set_prop(vold, vold_prop)
 set_prop(vold, powerctl_prop)
 set_prop(vold, ctl_fuse_prop)
+set_prop(vold, restorecon_prop)
 
 # ASEC
 allow vold asec_image_file:file create_file_perms;
@@ -159,3 +160,4 @@ neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setat
 neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
 neverallow { domain -vold -init } vold_data_file:dir *;
 neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *;
+neverallow { domain -vold -init } restorecon_prop:property_service set;
-- 
GitLab