tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Label ephemeral APKs and handle their install/uninstall am: 6f090f6911 am: 7ece155217 am: fb1c1974c0

Browse source 
am: 4394f36d6b

Change-Id: Ie5bfd30fa52f8f9a6233df23b8489cb36fea7f65
This commit is contained in:
Chad Brubaker 2016-11-12 00:56:45 +00:00 committed by android-build-merger
commit 057d754f9c
9 changed files with 37 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
private/file_contexts
View file

@ -273,6 +273,10 @@
/data/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
/data/app-ephemeral(/.*)? u:object_r:ephemeral_apk_data_file:s0
/data/app-ephemeral/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/data/app-ephemeral/vmdl[^/]+\.tmp(/.*)? u:object_r:ephemeral_apk_tmp_file:s0
/data/app-ephemeral/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
/data/media(/.*)? u:object_r:media_rw_data_file:s0

4
public/dex2oat.te
View file

@ -2,7 +2,7 @@
type dex2oat, domain, domain_deprecated;
type dex2oat_exec, exec_type, file_type;
r_dir_file(dex2oat, apk_data_file)
r_dir_file(dex2oat, {apk_data_file ephemeral_apk_data_file})
allow dex2oat tmpfs:file { read getattr };
@ -22,7 +22,7 @@ allow dex2oat installd:fd use;
allow dex2oat asec_apk_file:file read;
allow dex2oat unlabeled:file read;
allow dex2oat oemfs:file read;
allow dex2oat apk_tmp_file:file read;
allow dex2oat {apk_tmp_file ephemeral_apk_tmp_file}:file read;
allow dex2oat user_profile_data_file:file { getattr read lock };
##################

1
public/domain.te
View file

@ -325,6 +325,7 @@ neverallow {
-dalvikcache_data_file
-system_data_file # shared libs in apks
-apk_data_file
-ephemeral_apk_data_file
}:file no_x_file_perms;
neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;

7
public/ephemeral_app.te
View file

@ -38,6 +38,10 @@ allow ephemeral_app zygote:unix_dgram_socket write;
allow ephemeral_app ephemeral_data_file:dir create_dir_perms;
allow ephemeral_app ephemeral_data_file:{ file sock_file fifo_file } create_file_perms;
# Allow apps to read/execute installed binaries
allow ephemeral_app ephemeral_apk_data_file:dir search;
allow ephemeral_app ephemeral_apk_data_file:file { r_file_perms execute };
# For art.
allow ephemeral_app dalvikcache_data_file:file { execute r_file_perms };
allow ephemeral_app dalvikcache_data_file:lnk_file r_file_perms;
@ -89,6 +93,9 @@ allow ephemeral_app textservices_service:service_manager find;
### neverallow rules
###
# Executable content should never be loaded from an ephemeral app home directory.
neverallow ephemeral_app ephemeral_data_file:file { execute execute_no_trans };
# Receive or send uevent messages.
neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;

3
public/file.te
View file

@ -96,6 +96,9 @@ type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
# /data/app-private - forward-locked apps
type apk_private_data_file, file_type, data_file_type;
type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
# /data/app-ephemeral - ephemeral apps
type ephemeral_apk_data_file, file_type, data_file_type;
type ephemeral_apk_tmp_file, file_type, data_file_type, mlstrustedobject;
# /data/dalvik-cache
type dalvikcache_data_file, file_type, data_file_type;
# /data/ota

2
public/init.te
View file

@ -337,8 +337,6 @@ unix_socket_connect(init, vold, vold)
# Raw writes to misc block device
allow init misc_block_device:blk_file w_file_perms;
allow init apk_data_file:dir { getattr search };
allow init dalvikcache_data_file:dir { search getattr };
r_dir_file(init, system_file)
allow init proc_meminfo:file r_file_perms;

10
public/installd.te
View file

@ -9,13 +9,13 @@ allow installd dalvikcache_data_file:dir relabelto;
allow installd dalvikcache_data_file:file { relabelto link };
# Allow movement of APK files between volumes
allow installd apk_data_file:dir { create_dir_perms relabelfrom };
allow installd apk_data_file:file { create_file_perms relabelfrom link };
allow installd apk_data_file:lnk_file { create r_file_perms unlink };
allow installd {apk_data_file ephemeral_apk_data_file}:dir { create_dir_perms relabelfrom };
allow installd {apk_data_file ephemeral_apk_data_file}:file { create_file_perms relabelfrom link };
allow installd {apk_data_file ephemeral_apk_data_file}:lnk_file { create r_file_perms unlink };
allow installd asec_apk_file:file r_file_perms;
allow installd apk_tmp_file:file { r_file_perms unlink };
allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
allow installd {apk_tmp_file ephemeral_apk_tmp_file}:file { r_file_perms unlink };
allow installd {apk_tmp_file ephemeral_apk_tmp_file}:dir { relabelfrom create_dir_perms };
allow installd oemfs:dir r_dir_perms;
allow installd oemfs:file r_file_perms;
allow installd cgroup:dir create_dir_perms;

10
public/platform_app.te
View file

@ -12,10 +12,10 @@ bluetooth_domain(platform_app)
allow platform_app shell_data_file:dir search;
allow platform_app shell_data_file:file { open getattr read };
allow platform_app icon_file:file { open getattr read };
# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp, /data/app-ephemeral/vmdl*.tmp files
# created by system server.
allow platform_app { apk_tmp_file apk_private_tmp_file }:dir rw_dir_perms;
allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
allow platform_app { apk_tmp_file apk_private_tmp_file ephemeral_apk_tmp_file}:dir rw_dir_perms;
allow platform_app { apk_tmp_file apk_private_tmp_file ephemeral_apk_tmp_file}:file rw_file_perms;
allow platform_app apk_private_data_file:dir search;
# ASEC
allow platform_app asec_apk_file:dir create_dir_perms;
@ -56,3 +56,7 @@ allow platform_app vr_manager_service:service_manager find;
# Access to /data/preloads
allow platform_app preloads_data_file:file r_file_perms;
allow platform_app preloads_data_file:dir r_dir_perms;
# Access to ephemeral APKs
allow platform_app ephemeral_apk_data_file:dir r_dir_perms;
allow platform_app ephemeral_apk_data_file:file r_file_perms;

10
public/system_server.te
View file

@ -252,6 +252,12 @@ allow system_server apk_private_data_file:file create_file_perms;
allow system_server apk_private_tmp_file:dir create_dir_perms;
allow system_server apk_private_tmp_file:file create_file_perms;
# Manage /data/app-ephemeral
allow system_server ephemeral_apk_data_file:dir create_dir_perms;
allow system_server ephemeral_apk_data_file:file create_file_perms;
allow system_server ephemeral_apk_tmp_file:dir create_dir_perms;
allow system_server ephemeral_apk_tmp_file:file create_file_perms;
# Manage files within asec containers.
allow system_server asec_apk_file:dir create_dir_perms;
allow system_server asec_apk_file:file create_file_perms;
@ -319,8 +325,8 @@ allow system_server { system_app_data_file bluetooth_data_file nfc_data_file rad
allow system_server media_rw_data_file:file { getattr read write append };
# Relabel apk files.
allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
allow system_server { apk_tmp_file apk_private_tmp_file ephemeral_apk_tmp_file }:{ dir file } { relabelfrom relabelto };
allow system_server { apk_data_file apk_private_data_file ephemeral_apk_data_file}:{ dir file } { relabelfrom relabelto };
# Relabel wallpaper.
allow system_server system_data_file:file relabelfrom;