Allow apexd to create symlink in /apex.

Bug: 115710947
Test: on device
Change-Id: Ie712689d80fb829f16de70e865cac4f0ff4e9b35
This commit is contained in:
Dario Freni 2018-10-16 08:02:49 +01:00
parent 247f061a65
commit bab267a88f
4 changed files with 10 additions and 0 deletions

View file

@ -29,6 +29,9 @@ allow apexd apex_mnt_dir:dir create_dir_perms;
# allow apexd to mount in /apex # allow apexd to mount in /apex
allow apexd apex_mnt_dir:filesystem { mount unmount }; allow apexd apex_mnt_dir:filesystem { mount unmount };
allow apexd apex_mnt_dir:dir mounton; allow apexd apex_mnt_dir:dir mounton;
# allow apexd to create symlinks in /apex
allow apexd apex_mnt_dir:lnk_file create_file_perms;
# Unmount and mount filesystems # Unmount and mount filesystems
allow apexd labeledfs:filesystem { mount unmount }; allow apexd labeledfs:filesystem { mount unmount };
@ -40,3 +43,4 @@ dontaudit apexd self:global_capability_class_set { dac_override dac_read_search
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms; neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
neverallow { domain -apexd -init } apex_data_file:file no_rw_file_perms; neverallow { domain -apexd -init } apex_data_file:file no_rw_file_perms;
neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;

View file

@ -343,6 +343,10 @@ with_asan(`allow domain system_data_file:dir getattr;')
# Under ASAN, /system/asan.options needs to be globally accessible. # Under ASAN, /system/asan.options needs to be globally accessible.
with_asan(`allow domain system_asan_options_file:file r_file_perms;') with_asan(`allow domain system_asan_options_file:file r_file_perms;')
# read APEX dir and stat any symlink pointing to APEXs.
allow domain apex_mnt_dir:dir search;
allow domain apex_mnt_dir:lnk_file r_file_perms;
### ###
### neverallow rules ### neverallow rules
### ###

View file

@ -205,6 +205,7 @@ allow init {
allow init { allow init {
file_type file_type
-apex_mnt_dir
-app_data_file -app_data_file
-exec_type -exec_type
-iorapd_data_file -iorapd_data_file

View file

@ -78,6 +78,7 @@ allow vendor_init {
allow vendor_init { allow vendor_init {
file_type file_type
-apex_mnt_dir
-core_data_file_type -core_data_file_type
-exec_type -exec_type
-system_file_type -system_file_type