Allow installd to move APKs.

As an optimization, installd is now moving previously-installed
applications between attached storage volumes.  This is effectively
copying to the new location, then deleting the old location.

Since OAT files can now live under /data/app directories, we also
need the ability to relabel those files.

avc: denied { create } for name="base.apk" scontext=u:r:installd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
avc: denied { write } for path="/data/app/com.example.playground-2/base.apk" dev="mmcblk0p16" ino=40570 scontext=u:r:installd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
avc: denied { setattr } for name="base.apk" dev="mmcblk0p16" ino=40570 scontext=u:r:installd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
avc: denied { relabelfrom } for name="base.odex" dev="mmcblk0p16" ino=40574 scontext=u:r:installd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
avc: denied { relabelto } for name="base.odex" dev="mmcblk0p16" ino=40574 scontext=u:r:installd:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file permissive=1

Bug: 19993667, 20275578
Change-Id: I52bb29ed9f57b3216657eb757d78b06eeaf53458
This commit is contained in:
Jeff Sharkey 2015-04-30 16:07:49 -07:00
parent f7163597f5
commit 8f821db783

View file

@ -5,10 +5,16 @@ type installd_exec, exec_type, file_type;
init_daemon_domain(installd) init_daemon_domain(installd)
typeattribute installd mlstrustedsubject; typeattribute installd mlstrustedsubject;
allow installd self:capability { chown dac_override fowner fsetid setgid setuid }; allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
allow installd apk_data_file:file { rename unlink };
# Allow labeling of files under /data/app/com.example/oat/
allow installd dalvikcache_data_file:dir relabelto; allow installd dalvikcache_data_file:dir relabelto;
allow installd dalvikcache_data_file:file relabelto;
# Allow movement of APK files between volumes
allow installd apk_data_file:dir { create_dir_perms relabelfrom }; allow installd apk_data_file:dir { create_dir_perms relabelfrom };
allow installd apk_data_file:file { create_file_perms relabelfrom };
allow installd apk_data_file:lnk_file { create read unlink }; allow installd apk_data_file:lnk_file { create read unlink };
allow installd asec_apk_file:file r_file_perms; allow installd asec_apk_file:file r_file_perms;
allow installd apk_tmp_file:file { r_file_perms unlink }; allow installd apk_tmp_file:file { r_file_perms unlink };
allow installd apk_tmp_file:dir { relabelfrom create_dir_perms }; allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };