Add SELinux restorecon calls on ASEC containers.
This will allow fine-grained labeling of the
contents of ASEC containers. Some of the contents
need to be world readable and thus should be
distinguishable in policy.
Change-Id: Iefee74214d664acd262edecbb4f981d633ff96ce
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
diff --git a/Android.mk b/Android.mk
index 0064cb4..9ad0edd 100644
--- a/Android.mk
+++ b/Android.mk
@@ -35,7 +35,8 @@
libhardware_legacy \
liblogwrap \
libext4_utils \
- libcrypto
+ libcrypto \
+ libselinux
common_static_libraries := \
libfs_mgr \
diff --git a/VolumeManager.cpp b/VolumeManager.cpp
index 117eee0..3c2dd33 100644
--- a/VolumeManager.cpp
+++ b/VolumeManager.cpp
@@ -35,6 +35,8 @@
#include <cutils/fs.h>
#include <cutils/log.h>
+#include <selinux/android.h>
+
#include <sysutils/NetlinkEvent.h>
#include <private/android_filesystem_config.h>
@@ -613,6 +615,12 @@
} else if (ftsent->fts_info & FTS_F) {
result |= fchmod(fd, privateFile ? 0640 : 0644);
}
+
+ if (selinux_android_restorecon(ftsent->fts_path) < 0) {
+ SLOGE("restorecon failed for %s: %s\n", ftsent->fts_path, strerror(errno));
+ result |= -1;
+ }
+
close(fd);
}
fts_close(fts);