Adjust rules around /data/app entities

This is to accomodate migration to (and ongoing support of) a new installed-app file topology, in which APK files are placed in /data/app/$PACKAGE-rev/, there is a canonical-path symlink /data/app/$PACKAGE/ -> /data/app/$PACKAGE-rev/, and the native libraries exist not under a top-level /data/app-lib/$PACKAGE-rev hard directory, but rather under /data/app/$PACKAGE/lib (when referenced by canonical path). Change-Id: I4f60257f8923c64266d98aa247bffa912e204fb0
2014-05-30 15:21:22 -07:00 · 2014-05-30 15:21:22 -07:00 · 6f6c425563
commit 6f6c425563
parent 86b05c47d4
3 changed files with 7 additions and 1 deletions
--- a/app.te
+++ b/app.te
@ -137,6 +137,9 @@ allow appdomain dalvikcache_profiles_data_file:file write;
 allow appdomain shared_relro_file:dir search;
 allow appdomain shared_relro_file:file r_file_perms;

+# Allow apps to read/execute installed binaries
+allow appdomain apk_data_file:file { rx_file_perms execmod };
+
 ###
 ### CTS-specific rules
 ###
--- a/domain.te
+++ b/domain.te
@ -96,6 +96,7 @@ allow domain system_data_file:lnk_file r_file_perms;
 # Read apk files under /data/app.
 allow domain apk_data_file:dir { getattr search };
 allow domain apk_data_file:file r_file_perms;
+allow domain apk_data_file:lnk_file r_file_perms;

 # Read /data/dalvik-cache.
 allow domain dalvikcache_data_file:dir { search getattr };
--- a/installd.te
+++ b/installd.te
@ -5,7 +5,9 @@ type installd_exec, exec_type, file_type;
 init_daemon_domain(installd)
 typeattribute installd mlstrustedsubject;
 allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
-allow installd apk_data_file:file r_file_perms;
+allow installd apk_data_file:file rename;
+allow installd apk_data_file:dir create_dir_perms;
+allow installd apk_data_file:lnk_file { create read unlink };
 allow installd asec_apk_file:file r_file_perms;
 allow installd apk_tmp_file:file r_file_perms;
 allow installd oemfs:dir r_dir_perms;