commit 3a98389263ea0bf9656bcc6869855099194f498c
author Stephen Smalley <sds@tycho.nsa.gov> Tue May 13 12:53:07 2014 -0400
committer Stephen Smalley <sds@tycho.nsa.gov> Tue May 13 12:59:40 2014 -0400
tree 46ba90a49b5ebd0cd544a86c141ab0481bd925a1
parent bd20e551f64234142e1146f9fa4b2dcebbd72122

Ensure that app lib symlinks are correctly labeled when created.

At present, the app lib symlinks are created before setting
the package directory security context, and therefore default
to system_data_file.  Upon a later restorecon_recursive,
they are relabeled to the same type as the package directory,
e.g. app_data_file.  Avoid this inconsistency by setting the
package directory security context before creating the symlink
so that it inherits the same security context.

Change-Id: I1ee6ccd8a2aa63a4d2efda67f313c97932235911
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

cmds/installd/commands.c

diff --git a/cmds/installd/commands.c b/cmds/installd/commands.c
index cfb80e3..70510a5 100644
--- a/cmds/installd/commands.c
+++ b/cmds/installd/commands.c
@@ -85,13 +85,6 @@
         }
     }
 
-    if (symlink(applibdir, libsymlink) < 0) {
-        ALOGE("couldn't symlink directory '%s' -> '%s': %s\n", libsymlink, applibdir,
-                strerror(errno));
-        unlink(pkgdir);
-        return -1;
-    }
-
     if (selinux_android_setfilecon(pkgdir, pkgname, seinfo, uid) < 0) {
         ALOGE("cannot setfilecon dir '%s': %s\n", pkgdir, strerror(errno));
         unlink(libsymlink);
@@ -99,6 +92,13 @@
         return -errno;
     }
 
+    if (symlink(applibdir, libsymlink) < 0) {
+        ALOGE("couldn't symlink directory '%s' -> '%s': %s\n", libsymlink, applibdir,
+                strerror(errno));
+        unlink(pkgdir);
+        return -1;
+    }
+
     if (chown(pkgdir, uid, gid) < 0) {
         ALOGE("cannot chown dir '%s': %s\n", pkgdir, strerror(errno));
         unlink(libsymlink);
@@ -241,13 +241,6 @@
         }
     }
 
-    if (symlink(applibdir, libsymlink) < 0) {
-        ALOGE("couldn't symlink directory for non-primary '%s' -> '%s': %s\n", libsymlink,
-                applibdir, strerror(errno));
-        unlink(pkgdir);
-        return -1;
-    }
-
     if (selinux_android_setfilecon(pkgdir, pkgname, seinfo, uid) < 0) {
         ALOGE("cannot setfilecon dir '%s': %s\n", pkgdir, strerror(errno));
         unlink(libsymlink);
@@ -255,6 +248,13 @@
         return -errno;
     }
 
+    if (symlink(applibdir, libsymlink) < 0) {
+        ALOGE("couldn't symlink directory for non-primary '%s' -> '%s': %s\n", libsymlink,
+                applibdir, strerror(errno));
+        unlink(pkgdir);
+        return -1;
+    }
+
     if (chown(pkgdir, uid, uid) < 0) {
         ALOGE("cannot chown dir '%s': %s\n", pkgdir, strerror(errno));
         unlink(libsymlink);