From c960596cc346a94d15dcfff51a7e25ddf4edbd19 Mon Sep 17 00:00:00 2001
From: Jeff Sharkey <jsharkey@android.com>
Date: Thu, 14 May 2015 20:55:31 -0700
Subject: [PATCH] drop_caches label, vold scratch space on expanded.

Define an explicit label for /proc/sys/vm/drop_caches and grant to
the various people who need it, including vold which uses it when
performing storage benchmarks.

Also let vold create new directories under it's private storage area
where the benchmarks will be carried out.  Mirror the definition of
the private storage area on expanded media.

avc: denied { write } for name="drop_caches" dev="proc" ino=20524 scontext=u:r:vold:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=0

Bug: 21172095
Change-Id: I300b1cdbd235ff60e64064d3ba6e5ea783baf23f
---
 file.te             | 2 ++
 file_contexts       | 1 +
 genfs_contexts      | 1 +
 install_recovery.te | 4 +---
 recovery.te         | 3 +--
 vold.te             | 5 ++++-
 6 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/file.te b/file.te
index 3bbf9a5b4..5e8687a72 100644
--- a/file.te
+++ b/file.te
@@ -6,6 +6,8 @@ type rootfs, fs_type;
 type proc, fs_type;
 # Security-sensitive proc nodes that should not be writable to most.
 type proc_security, fs_type;
+# Type for /proc/sys/vm/drop_caches
+type proc_drop_caches, fs_type;
 # proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
 type usermodehelper, fs_type, sysfs_type;
 type qtaguid_proc, fs_type, mlstrustedobject;
diff --git a/file_contexts b/file_contexts
index 1c6b56cf2..9f895da08 100644
--- a/file_contexts
+++ b/file_contexts
@@ -267,6 +267,7 @@
 /mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)?      u:object_r:dalvikcache_data_file:s0
 /mnt/expand/[^/]+/local/tmp(/.*)?                   u:object_r:shell_data_file:s0
 /mnt/expand/[^/]+/media(/.*)?                       u:object_r:media_rw_data_file:s0
+/mnt/expand/[^/]+/misc/vold(/.*)?                   u:object_r:vold_data_file:s0
 
 # coredump directory for userdebug/eng devices
 /cores(/.*)?                    u:object_r:coredump_file:s0
diff --git a/genfs_contexts b/genfs_contexts
index f7967860a..cdf65bc63 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -20,6 +20,7 @@ genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
 genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
 genfscon proc /sys/net u:object_r:proc_net:s0
 genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
+genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
 genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
 genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
 
diff --git a/install_recovery.te b/install_recovery.te
index 138522036..2d80b0874 100644
--- a/install_recovery.te
+++ b/install_recovery.te
@@ -23,6 +23,4 @@ allow install_recovery cache_file:dir rw_dir_perms;
 allow install_recovery cache_file:file create_file_perms;
 
 # Write to /proc/sys/vm/drop_caches
-# TODO: create a specific label for this file instead of allowing
-# write for all /proc files.
-allow install_recovery proc:file w_file_perms;
+allow install_recovery proc_drop_caches:file w_file_perms;
diff --git a/recovery.te b/recovery.te
index 29f1a50ec..2aad68bb1 100644
--- a/recovery.te
+++ b/recovery.te
@@ -41,8 +41,7 @@ recovery_only(`
   allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
 
   # Write to /proc/sys/vm/drop_caches
-  # TODO: create more specific label?
-  allow recovery proc:file w_file_perms;
+  allow recovery proc_drop_caches:file w_file_perms;
 
   # Write to /sys/class/android_usb/android0/enable.
   # TODO: create more specific label?
diff --git a/vold.te b/vold.te
index 191b63cb9..1a1913e04 100644
--- a/vold.te
+++ b/vold.te
@@ -144,8 +144,11 @@ allow vold metadata_block_device:blk_file rw_file_perms;
 allow vold unencrypted_data_file:{ file lnk_file } create_file_perms;
 allow vold unencrypted_data_file:dir create_dir_perms;
 
+# Write to /proc/sys/vm/drop_caches
+allow vold proc_drop_caches:file w_file_perms;
+
 # Give vold a place where only vold can store files; everyone else is off limits
-allow vold vold_data_file:dir rw_dir_perms;
+allow vold vold_data_file:dir create_dir_perms;
 allow vold vold_data_file:file create_file_perms;
 
 neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto };
-- 
GitLab