From 8da7876bf97b2a7207af60d7accce1ca310bc0f2 Mon Sep 17 00:00:00 2001 From: Jeff Sharkey Date: Thu, 9 Apr 2015 21:07:36 -0700 Subject: [PATCH] Allow installd to move around private app data. Add rules that allow installd to move private app data between internal and expanded storage devices. For now we'll be reusing the "cp" binary using android_fork_execvp(), so grant access to devpts. avc: denied { read write } for name="14" dev="devpts" ino=17 scontext=u:r:installd:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1 avc: denied { open } for path="/dev/pts/14" dev="devpts" ino=17 scontext=u:r:installd:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1 avc: denied { read } for name="com.android.opengl.shaders_cache" dev="mmcblk0p16" ino=114672 scontext=u:r:installd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=1 avc: denied { open } for path="/data/data/com.example.playground/code_cache/com.android.opengl.shaders_cache" dev="mmcblk0p16" ino=114672 scontext=u:r:installd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=1 avc: denied { create } for name="com.android.opengl.shaders_cache" scontext=u:r:installd:s0 tcontext=u:object_r:app_data_file:s0 tclass=file permissive=1 avc: denied { read write open } for path="/mnt/expand/57f8f4bc-abf4-655f-bf67-946fc0f9f25b/user/0/com.example.playground/code_cache/com.android.opengl.shaders_cache" dev="dm-0" ino=64518 scontext=u:r:installd:s0 tcontext=u:object_r:app_data_file:s0 tclass=file permissive=1 Bug: 19993667 Change-Id: I5188e660c8b5e97eab8f0c74147499ec688f3f19 --- installd.te | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/installd.te b/installd.te index 6c7fea4eb..3f685f1ce 100644 --- a/installd.te +++ b/installd.te @@ -83,5 +83,7 @@ allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlin # upon package uninstall. # Types extracted from seapp_contexts type= fields. allow installd { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { create_dir_perms relabelfrom relabelto }; -allow installd { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:lnk_file { create setattr getattr unlink rename relabelfrom relabelto }; -allow installd { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:{ file sock_file fifo_file } { getattr unlink rename relabelfrom relabelto setattr }; +allow installd { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:notdevfile_class_set { create_file_perms relabelfrom relabelto }; + +# Create and use pty created by android_fork_execvp(). +allow installd devpts:chr_file rw_file_perms;