tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "apexd: allow apexd to unlink staging_data_file files"

Browse source
This commit is contained in:
Nikita Ioffe 2019-02-06 15:17:50 +00:00 committed by Gerrit Code Review
commit 9dbb71f4cc
2 changed files with 7 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
private/apexd.te
View file

@ -40,6 +40,10 @@ allow apexd apex_mnt_dir:filesystem { mount unmount };
allow apexd apex_mnt_dir:dir mounton;
# allow apexd to create symlinks in /apex
allow apexd apex_mnt_dir:lnk_file create_file_perms;
# allow apexd to unlink apex files in /data/apex/active
# note that apexd won't be able to unlink files in /data/staging/session_XXXX,
# because it doesn't have write permission for staging_data_file object.
allow apexd staging_data_file:file unlink;
# allow apexd to relabel apk_tmp_file to apex_data_file.
# TODO(b/112669193) remove this when APEXes are staged via file descriptor

5
private/domain.te
View file

@ -153,9 +153,10 @@ neverallow {
neverallow { domain -init -system_server -apexd } staging_data_file:dir *;
neverallow { domain -init -system_server -apexd -kernel } staging_data_file:file *;
neverallow { domain -init -system_server } staging_data_file:dir no_w_dir_perms;
# apexd needs the link permission, so list every `no_w_file_perms` except for `link`.
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
# except for `link` and `unlink`.
neverallow { domain -init -system_server } staging_data_file:file
{ append create unlink relabelfrom rename setattr write no_x_file_perms };
{ append create relabelfrom rename setattr write no_x_file_perms };
neverallow {
domain