Gitiles
Code Review Sign In
review.shift-gmbh.com / SHIFTPHONES / android_system_core / f2b7ee765516c84a9995e3acdc8fbcd7dc1b33cc^! / .
commitf2b7ee765516c84a9995e3acdc8fbcd7dc1b33cc[log] [tgz]
authorStephen Smalley <sds@tycho.nsa.gov>Thu Feb 06 13:52:52 2014 -0500
committerStephen Smalley <sds@tycho.nsa.gov>Thu Feb 06 14:33:29 2014 -0500
treecbb9b4f92747eb54902f616160b5a601985b7504
parent68835ee88b146f654fe3ce007f07ace71266e876 [diff]
Apply restorecon_recursive to all of /data.

With the following prior changes:
I77bf2a0c4c34b1feef6fdf4d6c3bd92dbf32f4a1
I698b1b2c3f00f31fbb2015edf23d33b51aa5bba1
I8dd915d9bb80067339621b905ea2b4ea0fa8d71e
it should now be safe (will correctly label all files)
and reasonably performant (will skip processing unless
file_contexts has changed since the last call) to call
restorecon_recursive /data from init.rc.

The call is placed after the setprop selinux.policy_reload 1 so that
we use any policy update under /data/security if present.

Change-Id: Ib8d9751a47c8e0238cf499fcec61898937945d9d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

diff --git a/rootdir/init.rc b/rootdir/init.rc
index fa1ddd4..55eb429 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc

@@ -214,23 +214,16 @@
     mkdir /data/misc/radio 0770 system radio
     mkdir /data/misc/sms 0770 system radio
     mkdir /data/misc/zoneinfo 0775 system system
-    restorecon_recursive /data/misc/zoneinfo
     mkdir /data/misc/vpn 0770 system vpn
     mkdir /data/misc/systemkeys 0700 system system
     mkdir /data/misc/wifi 0770 wifi wifi
     mkdir /data/misc/wifi/sockets 0770 wifi wifi
-    restorecon_recursive /data/misc/wifi/sockets
     mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi
     mkdir /data/misc/dhcp 0770 dhcp dhcp
     # give system access to wpa_supplicant.conf for backup and restore
     chmod 0660 /data/misc/wifi/wpa_supplicant.conf
     mkdir /data/local 0751 root root
     mkdir /data/misc/media 0700 media media
-    restorecon_recursive /data/misc/media
-
-    # Set security context of any pre-existing /data/misc/adb/adb_keys file.
-    restorecon /data/misc/adb
-    restorecon /data/misc/adb/adb_keys
 
     # For security reasons, /data/local/tmp should always be empty.
     # Do not place files or directories in /data/local/tmp
@@ -262,7 +255,6 @@
     # create directory for MediaDrm plug-ins - give drm the read/write access to
     # the following directory.
     mkdir /data/mediadrm 0770 mediadrm mediadrm
-    restorecon_recursive /data/mediadrm
 
     # symlink to bugreport storage location
     symlink /data/data/com.android.shell/files/bugreports /data/bugreports
@@ -273,6 +265,9 @@
     # Reload policy from /data/security if present.
     setprop selinux.reload_policy 1
 
+    # Set SELinux security contexts on upgrade or policy update.
+    restorecon_recursive /data
+
     # If there is no fs-post-data action in the init.<device>.rc file, you
     # must uncomment this line, otherwise encrypted filesystems
     # won't work.