From f2b7ee765516c84a9995e3acdc8fbcd7dc1b33cc Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Thu, 6 Feb 2014 13:52:52 -0500 Subject: [PATCH] Apply restorecon_recursive to all of /data. With the following prior changes: I77bf2a0c4c34b1feef6fdf4d6c3bd92dbf32f4a1 I698b1b2c3f00f31fbb2015edf23d33b51aa5bba1 I8dd915d9bb80067339621b905ea2b4ea0fa8d71e it should now be safe (will correctly label all files) and reasonably performant (will skip processing unless file_contexts has changed since the last call) to call restorecon_recursive /data from init.rc. The call is placed after the setprop selinux.policy_reload 1 so that we use any policy update under /data/security if present. Change-Id: Ib8d9751a47c8e0238cf499fcec61898937945d9d Signed-off-by: Stephen Smalley --- rootdir/init.rc | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/rootdir/init.rc b/rootdir/init.rc index fa1ddd40e..55eb429e6 100644 --- a/rootdir/init.rc +++ b/rootdir/init.rc @@ -214,23 +214,16 @@ on post-fs-data mkdir /data/misc/radio 0770 system radio mkdir /data/misc/sms 0770 system radio mkdir /data/misc/zoneinfo 0775 system system - restorecon_recursive /data/misc/zoneinfo mkdir /data/misc/vpn 0770 system vpn mkdir /data/misc/systemkeys 0700 system system mkdir /data/misc/wifi 0770 wifi wifi mkdir /data/misc/wifi/sockets 0770 wifi wifi - restorecon_recursive /data/misc/wifi/sockets mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi mkdir /data/misc/dhcp 0770 dhcp dhcp # give system access to wpa_supplicant.conf for backup and restore chmod 0660 /data/misc/wifi/wpa_supplicant.conf mkdir /data/local 0751 root root mkdir /data/misc/media 0700 media media - restorecon_recursive /data/misc/media - - # Set security context of any pre-existing /data/misc/adb/adb_keys file. - restorecon /data/misc/adb - restorecon /data/misc/adb/adb_keys # For security reasons, /data/local/tmp should always be empty. # Do not place files or directories in /data/local/tmp @@ -262,7 +255,6 @@ on post-fs-data # create directory for MediaDrm plug-ins - give drm the read/write access to # the following directory. mkdir /data/mediadrm 0770 mediadrm mediadrm - restorecon_recursive /data/mediadrm # symlink to bugreport storage location symlink /data/data/com.android.shell/files/bugreports /data/bugreports @@ -273,6 +265,9 @@ on post-fs-data # Reload policy from /data/security if present. setprop selinux.reload_policy 1 + # Set SELinux security contexts on upgrade or policy update. + restorecon_recursive /data + # If there is no fs-post-data action in the init..rc file, you # must uncomment this line, otherwise encrypted filesystems # won't work.