Merge "Fix SELinux policies to allow resource overlays."

8d6e4cc1 · Nick Kralevich · Gerrit Code Review · 75e2ef92 · fad4d5fb · 8d6e4cc1
Commit 8d6e4cc1 authored 10 years ago by Nick Kralevich Committed by Gerrit Code Review 10 years ago
--- a/app.te
+++ b/app.te
@@ -141,6 +141,10 @@ allow appdomain shared_relro_file:file r_file_perms;
 # Allow apps to read/execute installed binaries
 allow appdomain apk_data_file:file { rx_file_perms execmod };
+# /data/resource-cache
+allow appdomain resourcecache_data_file:file r_file_perms;
+allow appdomain resourcecache_data_file:dir r_dir_perms;
 ###
 ### CTS-specific rules
 ###

--- a/file.te
+++ b/file.te
@@ -61,6 +61,8 @@ type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
 type dalvikcache_data_file, file_type, data_file_type;
 # /data/dalvik-cache/profiles
 type dalvikcache_profiles_data_file, file_type, data_file_type;
+# /data/resource-cache
+type resourcecache_data_file, file_type, data_file_type;
 # /data/local - writable by shell
 type shell_data_file, file_type, data_file_type;
 # /data/gps

--- a/file_contexts
+++ b/file_contexts
@@ -173,6 +173,7 @@
 /data/system/ndebugsocket	u:object_r:system_ndebug_socket:s0
 /data/drm(/.*)?		u:object_r:drm_data_file:s0
 /data/gps(/.*)?		u:object_r:gps_data_file:s0
+/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
 /data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
 /data/dalvik-cache/profiles(/.*)? u:object_r:dalvikcache_profiles_data_file:s0
 /data/anr(/.*)?		u:object_r:anr_data_file:s0

--- a/installd.te
+++ b/installd.te
@@ -49,6 +49,10 @@ allow installd dalvikcache_data_file:file create_file_perms;
 allow installd dalvikcache_profiles_data_file:dir rw_dir_perms;
 allow installd dalvikcache_profiles_data_file:file create_file_perms;
+# Create files under /data/resource-cache.
+allow installd resourcecache_data_file:dir rw_dir_perms;
+allow installd resourcecache_data_file:file create_file_perms;
 # Upgrade from unlabeled userdata.
 # Just need enough to remove and/or relabel it.
 allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };

--- a/system_server.te
+++ b/system_server.te
@@ -15,6 +15,10 @@ allow system_server system_server_tmpfs:file execute;
 # For art.
 allow system_server dalvikcache_data_file:file execute;
+# /data/resource-cache
+allow system_server resourcecache_data_file:file r_file_perms;
+allow system_server resourcecache_data_file:dir r_dir_perms;
 # ptrace to processes in the same domain for debugging crashes.
 allow system_server self:process ptrace;

--- a/zygote.te
+++ b/zygote.te
@@ -24,6 +24,9 @@ allow zygote system_data_file:file r_file_perms;
 # Write to /data/dalvik-cache.
 allow zygote dalvikcache_data_file:dir create_dir_perms;
 allow zygote dalvikcache_data_file:file create_file_perms;
+# Write to /data/resource-cache
+allow zygote resourcecache_data_file:dir rw_dir_perms;
+allow zygote resourcecache_data_file:file create_file_perms;
 # For art.
 allow zygote dalvikcache_data_file:file execute;
 # Execute dexopt.