Change when the SELinux relabel of /data/data occurs.
Perform the relabel of the /data/data/<pkg> directories
when the app is being scanned by the PMS. The impetus
for this change was that the data directories of forward
locked apps were receiving the wrong label during an
OTA. Because the PMS doesn't actually scan forward locked
apps til later in the boot process, the prior restorecon
call was actually applying the default label of
system_data_file for all such apps. By performing a
restorecon on each individual app as they are entered into
the PMS we can handle them correctly. This mechanism also
allows us to pass down the seinfo tag as part of the
restorecon call which drops our need to rely on the contents
of packages.list.
Change-Id: Ie440cba2c96f0907458086348197e1506d31c1b6
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
diff --git a/services/java/com/android/server/pm/Installer.java b/services/java/com/android/server/pm/Installer.java
index 4b087cc..8cd9d93 100644
--- a/services/java/com/android/server/pm/Installer.java
+++ b/services/java/com/android/server/pm/Installer.java
@@ -397,7 +397,14 @@
return execute(builder.toString());
}
- public boolean restoreconData() {
- return (execute("restorecondata") == 0);
+ public boolean restoreconData(String pkgName, String seinfo, int uid) {
+ StringBuilder builder = new StringBuilder("restorecondata");
+ builder.append(' ');
+ builder.append(pkgName);
+ builder.append(' ');
+ builder.append(seinfo != null ? seinfo : "!");
+ builder.append(' ');
+ builder.append(uid);
+ return (execute(builder.toString()) == 0);
}
}
diff --git a/services/java/com/android/server/pm/PackageManagerService.java b/services/java/com/android/server/pm/PackageManagerService.java
index 5dded57..f33f7394 100755
--- a/services/java/com/android/server/pm/PackageManagerService.java
+++ b/services/java/com/android/server/pm/PackageManagerService.java
@@ -393,6 +393,9 @@
// If mac_permissions.xml was found for seinfo labeling.
boolean mFoundPolicyFile;
+ // If a recursive restorecon of /data/data/<pkg> is needed.
+ private boolean mShouldRestoreconData = SELinuxMMAC.shouldRestorecon();
+
// All available activities, for your resolving pleasure.
final ActivityIntentResolver mActivities =
new ActivityIntentResolver();
@@ -1486,13 +1489,6 @@
// can downgrade to reader
mSettings.writeLPr();
- if (SELinuxMMAC.shouldRestorecon()) {
- Slog.i(TAG, "Relabeling of /data/data and /data/user issued.");
- if (mInstaller.restoreconData()) {
- SELinuxMMAC.setRestoreconDone();
- }
- }
-
EventLog.writeEvent(EventLogTags.BOOT_PROGRESS_PMS_READY,
SystemClock.uptimeMillis());
@@ -4617,6 +4613,11 @@
}
}
pkg.applicationInfo.dataDir = dataPath.getPath();
+ if (mShouldRestoreconData) {
+ Slog.i(TAG, "SELinux relabeling of " + pkg.packageName + " issued.");
+ mInstaller.restoreconData(pkg.packageName, pkg.applicationInfo.seinfo,
+ pkg.applicationInfo.uid);
+ }
} else {
if (DEBUG_PACKAGE_SCANNING) {
if ((parseFlags & PackageParser.PARSE_CHATTY) != 0)
@@ -11062,6 +11063,10 @@
*/
public void scanAvailableAsecs() {
updateExternalMediaStatusInner(true, false, false);
+ if (mShouldRestoreconData) {
+ SELinuxMMAC.setRestoreconDone();
+ mShouldRestoreconData = false;
+ }
}
/*