diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2014-02-06 13:52:52 -0500 |
---|---|---|
committer | Stephen Smalley <sds@tycho.nsa.gov> | 2014-02-06 14:33:29 -0500 |
commit | f2b7ee765516c84a9995e3acdc8fbcd7dc1b33cc (patch) | |
tree | cbb9b4f92747eb54902f616160b5a601985b7504 /rootdir | |
parent | 68835ee88b146f654fe3ce007f07ace71266e876 (diff) | |
download | system_core-f2b7ee765516c84a9995e3acdc8fbcd7dc1b33cc.zip system_core-f2b7ee765516c84a9995e3acdc8fbcd7dc1b33cc.tar.gz system_core-f2b7ee765516c84a9995e3acdc8fbcd7dc1b33cc.tar.bz2 |
Apply restorecon_recursive to all of /data.
With the following prior changes:
I77bf2a0c4c34b1feef6fdf4d6c3bd92dbf32f4a1
I698b1b2c3f00f31fbb2015edf23d33b51aa5bba1
I8dd915d9bb80067339621b905ea2b4ea0fa8d71e
it should now be safe (will correctly label all files)
and reasonably performant (will skip processing unless
file_contexts has changed since the last call) to call
restorecon_recursive /data from init.rc.
The call is placed after the setprop selinux.policy_reload 1 so that
we use any policy update under /data/security if present.
Change-Id: Ib8d9751a47c8e0238cf499fcec61898937945d9d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Diffstat (limited to 'rootdir')
-rw-r--r-- | rootdir/init.rc | 11 |
1 files changed, 3 insertions, 8 deletions
diff --git a/rootdir/init.rc b/rootdir/init.rc index fa1ddd4..55eb429 100644 --- a/rootdir/init.rc +++ b/rootdir/init.rc @@ -214,23 +214,16 @@ on post-fs-data mkdir /data/misc/radio 0770 system radio mkdir /data/misc/sms 0770 system radio mkdir /data/misc/zoneinfo 0775 system system - restorecon_recursive /data/misc/zoneinfo mkdir /data/misc/vpn 0770 system vpn mkdir /data/misc/systemkeys 0700 system system mkdir /data/misc/wifi 0770 wifi wifi mkdir /data/misc/wifi/sockets 0770 wifi wifi - restorecon_recursive /data/misc/wifi/sockets mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi mkdir /data/misc/dhcp 0770 dhcp dhcp # give system access to wpa_supplicant.conf for backup and restore chmod 0660 /data/misc/wifi/wpa_supplicant.conf mkdir /data/local 0751 root root mkdir /data/misc/media 0700 media media - restorecon_recursive /data/misc/media - - # Set security context of any pre-existing /data/misc/adb/adb_keys file. - restorecon /data/misc/adb - restorecon /data/misc/adb/adb_keys # For security reasons, /data/local/tmp should always be empty. # Do not place files or directories in /data/local/tmp @@ -262,7 +255,6 @@ on post-fs-data # create directory for MediaDrm plug-ins - give drm the read/write access to # the following directory. mkdir /data/mediadrm 0770 mediadrm mediadrm - restorecon_recursive /data/mediadrm # symlink to bugreport storage location symlink /data/data/com.android.shell/files/bugreports /data/bugreports @@ -273,6 +265,9 @@ on post-fs-data # Reload policy from /data/security if present. setprop selinux.reload_policy 1 + # Set SELinux security contexts on upgrade or policy update. + restorecon_recursive /data + # If there is no fs-post-data action in the init.<device>.rc file, you # must uncomment this line, otherwise encrypted filesystems # won't work. |