platform_system_sepolicy/public/idmap.te

32 lines
1.1 KiB
Text
Raw Normal View History

# idmap, when executed by installd
type idmap, domain;
type idmap_exec, system_file_type, exec_type, file_type;
Allow idmap1 to read vmdl*.tmp APK install files When upgrading a package, PackageParser acts on the temporary APK file copied from the install location. This is passed to idmap, which doesn't have read access because it's missing an SELinux rule. This is needed to fix a bug with manifest overlaying on updating an app, a feature kept alive for Q. Relevant logs when updating a target: [ 550.068083] type=1400 audit(1556124408.583:3812): avc: denied { read } for comm="idmap" name="base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1 [ 550.090115] type=1400 audit(1556124408.583:3812): avc: denied { read } for comm="idmap" name="base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1 [ 550.092064] type=1400 audit(1556124408.603:3813): avc: denied { open } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1 [ 550.096202] type=1400 audit(1556124408.603:3813): avc: denied { open } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1 [ 550.098459] type=1400 audit(1556124408.613:3814): avc: denied { map } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1 [ 550.101640] type=1400 audit(1556124408.613:3814): avc: denied { map } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1 [ 550.104239] type=1400 audit(1556124408.613:3815): avc: denied { getattr } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1 Bug: 130559507 Test: manual adb push /system/product/app/TestApp.apk with /system/product/overlay/TestOverlay.apk enabling disabled launcher Activity in TestApp; adb install -r TestApp.apk keeps enabled state with changes Change-Id: Ieeb7fb4f79ae091d0febf42ca358e7ffdfa6c3ff
2019-04-16 01:10:02 +02:00
# TODO remove /system/bin/idmap and the link between idmap and installd (b/118711077)
# Use open file to /data/resource-cache file inherited from installd.
allow idmap installd:fd use;
allow idmap resourcecache_data_file:file create_file_perms;
allow idmap resourcecache_data_file:dir rw_dir_perms;
# Ignore reading /proc/<pid>/maps after a fork.
dontaudit idmap installd:file read;
# Open and read from target and overlay apk files passed by argument.
allow idmap apk_data_file:file r_file_perms;
allow idmap apk_data_file:dir search;
Allow idmap1 to read vmdl*.tmp APK install files When upgrading a package, PackageParser acts on the temporary APK file copied from the install location. This is passed to idmap, which doesn't have read access because it's missing an SELinux rule. This is needed to fix a bug with manifest overlaying on updating an app, a feature kept alive for Q. Relevant logs when updating a target: [ 550.068083] type=1400 audit(1556124408.583:3812): avc: denied { read } for comm="idmap" name="base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1 [ 550.090115] type=1400 audit(1556124408.583:3812): avc: denied { read } for comm="idmap" name="base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1 [ 550.092064] type=1400 audit(1556124408.603:3813): avc: denied { open } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1 [ 550.096202] type=1400 audit(1556124408.603:3813): avc: denied { open } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1 [ 550.098459] type=1400 audit(1556124408.613:3814): avc: denied { map } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1 [ 550.101640] type=1400 audit(1556124408.613:3814): avc: denied { map } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1 [ 550.104239] type=1400 audit(1556124408.613:3815): avc: denied { getattr } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1 Bug: 130559507 Test: manual adb push /system/product/app/TestApp.apk with /system/product/overlay/TestOverlay.apk enabling disabled launcher Activity in TestApp; adb install -r TestApp.apk keeps enabled state with changes Change-Id: Ieeb7fb4f79ae091d0febf42ca358e7ffdfa6c3ff
2019-04-16 01:10:02 +02:00
# Allow /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
allow idmap { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
allow idmap { apk_tmp_file apk_private_tmp_file }:dir search;
# Allow apps access to /vendor/app
r_dir_file(idmap, vendor_app_file)
# Allow apps access to /vendor/overlay
r_dir_file(idmap, vendor_overlay_file)
# Allow the idmap2d binary to register as a service and communicate via AIDL
binder_use(idmap)
binder_service(idmap)
add_service(idmap, idmap_service)