Proper security labeling of multi-user data directories.

This patch covers 2 cases. When an app is installed and the resulting data directory is created for all existing users. And when a new user is created and all existing app data directories are created for the new user. Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil> Change-Id: I01f2a9084dfe7886087b1497070b0d7f2ad8478e
author: rpcraig <rpcraig@tycho.ncsc.mil> 2012-11-28 09:23:18 -0500
committer: Ricardo Cerqueira <cyanogenmod@cerqueira.org> 2013-07-18 21:02:23 +0100
commit: 81a56239791c6d8d686171fb51438a82eaf8b9e1 (patch)
tree: 7d2bfc17b5c88010e904d091ccb0a865819dff84
parent: 2a091b42566d4de5fd88e6e58f29f9b7feadc0b7 (diff)
download: frameworks_base-81a56239791c6d8d686171fb51438a82eaf8b9e1.zip
frameworks_base-81a56239791c6d8d686171fb51438a82eaf8b9e1.tar.gz
frameworks_base-81a56239791c6d8d686171fb51438a82eaf8b9e1.tar.bz2
6 files changed, 18 insertions, 14 deletions
diff --git a/cmds/installd/commands.c b/cmds/installd/commands.c
index 4f6971b..2e5f360 100644
--- a/cmds/installd/commands.c
+++ b/cmds/installd/commands.c
@@ -190,7 +190,7 @@ int delete_user_data(const char *pkgname, uid_t persona)
     return delete_dir_contents(pkgdir, 0, "lib");
 }
 
-int make_user_data(const char *pkgname, uid_t uid, uid_t persona)
+int make_user_data(const char *pkgname, uid_t uid, uid_t persona, const char* seinfo)
 {
     char pkgdir[PKG_PATH_MAX];
     char applibdir[PKG_PATH_MAX];
@@ -251,21 +251,21 @@ int make_user_data(const char *pkgname, uid_t uid, uid_t persona)
         return -1;
     }
 
-    if (chown(pkgdir, uid, uid) < 0) {
-        ALOGE("cannot chown dir '%s': %s\n", pkgdir, strerror(errno));
+#ifdef HAVE_SELINUX
+    if (selinux_android_setfilecon2(pkgdir, pkgname, seinfo, uid) < 0) {
+        ALOGE("cannot setfilecon dir '%s': %s\n", pkgdir, strerror(errno));
         unlink(libsymlink);
         unlink(pkgdir);
         return -errno;
     }
+#endif
 
-#ifdef HAVE_SELINUX
-    if (selinux_android_setfilecon(pkgdir, pkgname, uid) < 0) {
-        ALOGE("cannot setfilecon dir '%s': %s\n", pkgdir, strerror(errno));
+    if (chown(pkgdir, uid, uid) < 0) {
+        ALOGE("cannot chown dir '%s': %s\n", pkgdir, strerror(errno));
         unlink(libsymlink);
         unlink(pkgdir);
         return -errno;
     }
-#endif
 
     return 0;
 }
@@ -325,7 +325,7 @@ int clone_persona_data(uid_t src_persona, uid_t target_persona, int copy)
                 uid = (uid_t) s.st_uid % PER_USER_RANGE;
                 /* Create the directory for the target */
                 make_user_data(name, uid + target_persona * PER_USER_RANGE,
-                               target_persona);
+                               target_persona, NULL);
             }
         }
         closedir(d);
diff --git a/cmds/installd/installd.c b/cmds/installd/installd.c
index 73249cc..74643ac 100644
--- a/cmds/installd/installd.c
+++ b/cmds/installd/installd.c
@@ -103,7 +103,8 @@ static int do_rm_user_data(char **arg, char reply[REPLY_MAX])
 
 static int do_mk_user_data(char **arg, char reply[REPLY_MAX])
 {
-    return make_user_data(arg[0], atoi(arg[1]), atoi(arg[2])); /* pkgname, uid, userid */
+    return make_user_data(arg[0], atoi(arg[1]), atoi(arg[2]), arg[3]);
+                             /* pkgname, uid, userid, seinfo */
 }
 
 static int do_rm_user(char **arg, char reply[REPLY_MAX])
@@ -147,7 +148,7 @@ struct cmdinfo cmds[] = {
     { "rmuserdata",           2, do_rm_user_data },
     { "movefiles",            0, do_movefiles },
     { "linklib",              3, do_linklib },
-    { "mkuserdata",           3, do_mk_user_data },
+    { "mkuserdata",           4, do_mk_user_data },
     { "rmuser",               1, do_rm_user },
     { "cloneuserdata",        3, do_clone_user_data },
 };
diff --git a/cmds/installd/installd.h b/cmds/installd/installd.h
index 5a68733..8bce669 100644
--- a/cmds/installd/installd.h
+++ b/cmds/installd/installd.h
@@ -201,7 +201,7 @@ int uninstall(const char *pkgname, uid_t persona);
 int renamepkg(const char *oldpkgname, const char *newpkgname);
 int fix_uid(const char *pkgname, uid_t uid, gid_t gid);
 int delete_user_data(const char *pkgname, uid_t persona);
-int make_user_data(const char *pkgname, uid_t uid, uid_t persona);
+int make_user_data(const char *pkgname, uid_t uid, uid_t persona, const char* seinfo);
 int delete_persona(uid_t persona);
 int clone_persona_data(uid_t src_persona, uid_t target_persona, int copy);
 int delete_cache(const char *pkgname, uid_t persona);
diff --git a/services/java/com/android/server/pm/Installer.java b/services/java/com/android/server/pm/Installer.java
index ddb0d0b..6a071ef 100644
--- a/services/java/com/android/server/pm/Installer.java
+++ b/services/java/com/android/server/pm/Installer.java
@@ -265,7 +265,7 @@ public final class Installer {
         return execute(builder.toString());
     }
 
-    public int createUserData(String name, int uid, int userId) {
+    public int createUserData(String name, int uid, int userId, String seinfo) {
         StringBuilder builder = new StringBuilder("mkuserdata");
         builder.append(' ');
         builder.append(name);
@@ -273,6 +273,8 @@ public final class Installer {
         builder.append(uid);
         builder.append(' ');
         builder.append(userId);
+        builder.append(' ');
+        builder.append(seinfo != null ? seinfo : "!");
         return execute(builder.toString());
     }
 
diff --git a/services/java/com/android/server/pm/PackageManagerService.java b/services/java/com/android/server/pm/PackageManagerService.java
index 134619e..81ff2f3 100644
--- a/services/java/com/android/server/pm/PackageManagerService.java
+++ b/services/java/com/android/server/pm/PackageManagerService.java
@@ -3619,7 +3619,7 @@ public class PackageManagerService extends IPackageManager.Stub {
         for (int user : users) {
             if (user != 0) {
                 res = mInstaller.createUserData(packageName,
-                        UserHandle.getUid(user, uid), user);
+                        UserHandle.getUid(user, uid), user, seinfo);
                 if (res < 0) {
                     return res;
                 }
diff --git a/services/java/com/android/server/pm/Settings.java b/services/java/com/android/server/pm/Settings.java
index 96533b0..47d6bb3 100644
--- a/services/java/com/android/server/pm/Settings.java
+++ b/services/java/com/android/server/pm/Settings.java
@@ -2356,7 +2356,8 @@ final class Settings {
             ps.setInstalled((ps.pkgFlags&ApplicationInfo.FLAG_SYSTEM) != 0, userHandle);
             // Need to create a data directory for all apps under this user.
             installer.createUserData(ps.name,
-                    UserHandle.getUid(userHandle, ps.appId), userHandle);
+                    UserHandle.getUid(userHandle, ps.appId), userHandle,
+                    ps.pkg.applicationInfo.seinfo);
         }
         readDefaultPreferredAppsLPw(userHandle);
         writePackageRestrictionsLPr(userHandle);
author	rpcraig <rpcraig@tycho.ncsc.mil>	2012-11-28 09:23:18 -0500
committer	Ricardo Cerqueira <cyanogenmod@cerqueira.org>	2013-07-18 21:02:23 +0100
commit	81a56239791c6d8d686171fb51438a82eaf8b9e1 (patch)
tree	7d2bfc17b5c88010e904d091ccb0a865819dff84
parent	2a091b42566d4de5fd88e6e58f29f9b7feadc0b7 (diff)
download	frameworks_base-81a56239791c6d8d686171fb51438a82eaf8b9e1.zip frameworks_base-81a56239791c6d8d686171fb51438a82eaf8b9e1.tar.gz frameworks_base-81a56239791c6d8d686171fb51438a82eaf8b9e1.tar.bz2