From 8f821db783e67998c55785f18eeca97e57d061dd Mon Sep 17 00:00:00 2001 From: Jeff Sharkey Date: Thu, 30 Apr 2015 16:07:49 -0700 Subject: [PATCH] Allow installd to move APKs. As an optimization, installd is now moving previously-installed applications between attached storage volumes. This is effectively copying to the new location, then deleting the old location. Since OAT files can now live under /data/app directories, we also need the ability to relabel those files. avc: denied { create } for name="base.apk" scontext=u:r:installd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 avc: denied { write } for path="/data/app/com.example.playground-2/base.apk" dev="mmcblk0p16" ino=40570 scontext=u:r:installd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 avc: denied { setattr } for name="base.apk" dev="mmcblk0p16" ino=40570 scontext=u:r:installd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 avc: denied { relabelfrom } for name="base.odex" dev="mmcblk0p16" ino=40574 scontext=u:r:installd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 avc: denied { relabelto } for name="base.odex" dev="mmcblk0p16" ino=40574 scontext=u:r:installd:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file permissive=1 Bug: 19993667, 20275578 Change-Id: I52bb29ed9f57b3216657eb757d78b06eeaf53458 --- installd.te | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/installd.te b/installd.te index 3f685f1ce..a47853f80 100644 --- a/installd.te +++ b/installd.te @@ -5,10 +5,16 @@ type installd_exec, exec_type, file_type; init_daemon_domain(installd) typeattribute installd mlstrustedsubject; allow installd self:capability { chown dac_override fowner fsetid setgid setuid }; -allow installd apk_data_file:file { rename unlink }; + +# Allow labeling of files under /data/app/com.example/oat/ allow installd dalvikcache_data_file:dir relabelto; +allow installd dalvikcache_data_file:file relabelto; + +# Allow movement of APK files between volumes allow installd apk_data_file:dir { create_dir_perms relabelfrom }; +allow installd apk_data_file:file { create_file_perms relabelfrom }; allow installd apk_data_file:lnk_file { create read unlink }; + allow installd asec_apk_file:file r_file_perms; allow installd apk_tmp_file:file { r_file_perms unlink }; allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };