Re: I have some question about restorcon_recursive's skipped because of symbolic-link attribute.

Mon, 24 Aug 2015 11:53:12 -0700 

On 08/23/2015 09:29 PM, 심현용 wrote:
> Dear all.
> 
> At the booting time, I know restorecon_recursive about /data in init.rc
> or restsorecon_recursive(/sys) in init.cpp. 
> 
> /system/core/rootdir/init.rc
> 369     # Set SELinux security contexts on upgrade or policy update.
> 370     restorecon_recursive /data
> 
> /system/core/init/init.cpp
> 1208     restorecon_recursive("/sys");
> 
> But, it doesn't work well likes bellow file attribute like symbolic-link.
> 
> /data/data/com.nhn.android.search # ls -Z
> lrwxrwxrwx install  install           *u:object_r:app_data_file:s0* *lib
> -> /mnt/asec/com.nhn.android.search-2/lib/arm*/
> 
> When upgrading processing L to M OS, this label (/data/data/"pakcage")
> has to change app_data_file:s0:c512,c768, but didn't work about symbolic
> link attribute file.
> 
> When I execute command restorecon /data/data/com.nhn.android.search in
> adb shell.
> It did well like bellow.
> drwxr-x--x u0_a184  u0_a184          
> u:object_r:app_data_file:s0:c512,c768 com.nhn.android.search
> 
> How can I resolve this issue.

That does appear to be a bug.  It is actually installd that handles the
restorecon of package directories on upgrade, triggered by calls from
the PMS.  I reproduced by doing an adb install -l of an apk on L, then
upgrading to master.  As you note above, the lib symlink is not
relabeled in that situation.  If you run restorecon -RDv on the package
directory from an adb shell, it is then correctly relabeled.  This only
appears to occur with forward-locked apps; regular apps have their lib
symlink correctly relabeled with categories.  The other interesting
difference in symlinks is that the forward-locked apps have root-owned
symlinks while the regular apps have install-owned ones.

I'm not sure of the impact however.  In either case, the symlink should
be readable by the app, so following the link should work regardless.
The app won't be able to unlink the symlink in the forward-locked app
case due to this mislabeling, but I don't know why it would want to do so.

I'm guessing that these symlinks are actually created by something other
than installd when the asec container is mounted (vold?), and that
component doesn't perform a restorecon of the symlink.
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to 
[email protected].

Reply via email to