From 97b08903c7a6a1976c41dba9a10cf86b7a552b9a Mon Sep 17 00:00:00 2001 From: Calin Juravle Date: Thu, 26 Oct 2017 17:42:51 -0700 Subject: [PATCH] Allow installd to read system_data_file:lnk_file The permission was removed in https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/433615/ but is still needed in order to optimize application code. Denial example: 10-26 16:29:51.234 894 1469 D PackageManager.DexOptimizer: Running dexopt on: /data/user/0/com.google.android.gms/snet/installed/snet.jar pkg=com.google.android.gms isa=[arm64] dexoptFlags=boot_complete,public,secondary,force,storage_ce target-filter=quicken 10-26 16:29:51.253 2148 2148 W Binder:695_5: type=1400 audit(0.0:39): avc: denied { read } for name="0" dev="sda35" ino=917506 scontext=u:r:installd:s0 tcontext=u:object_r:system_data_file:s0 tclass=lnk_file permissive=0 Test: adb shell cmd package reconcile-secondary-dex-files com.google.android.googlequicksearchbox adb shell cmd package compile -m speed --secondary-dex com.google.android.gms Change-Id: I694d1a780e58fa953d9ebda807f5f5293dbb0d56 --- public/installd.te | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/public/installd.te b/public/installd.te index 1ef12254a..d02a86ad4 100644 --- a/public/installd.te +++ b/public/installd.te @@ -45,7 +45,9 @@ allow installd asec_image_file:file getattr; # and lib symlinks before the setfilecon call. May want to # move symlink creation after setfilecon in installd. allow installd system_data_file:dir create_dir_perms; -allow installd system_data_file:lnk_file { create getattr setattr unlink }; +# Also, allow read for lnk_file so that we can process /data/user/0 links when +# optimizing application code. +allow installd system_data_file:lnk_file { create getattr read setattr unlink }; # Upgrade /data/media for multi-user if necessary. allow installd media_rw_data_file:dir create_dir_perms;