Merge "Allow isolated to read staged apks" into main

2023-12-05 17:57:17 +00:00 · 2023-12-05 17:57:17 +00:00 · bce6591af7
commit bce6591af7
parent cba619bf60 cf2694bf86
2 changed files with 10 additions and 6 deletions
--- a/private/isolated_app_all.te
+++ b/private/isolated_app_all.te
@ -32,6 +32,9 @@ allow isolated_app_all app_zygote:unix_dgram_socket write;
 # suppress denials to /data/local/tmp
 dontaudit isolated_app_all shell_data_file:dir search;

+# Allow to read (but not open) staged apks.
+allow isolated_app_all { apk_tmp_file apk_private_tmp_file }:file { read getattr };
+
 #####
 ##### Neverallow
 #####
--- a/public/app.te
+++ b/public/app.te
@ -109,9 +109,6 @@ neverallow appdomain drm_data_file:dir_file_class_set
 neverallow { appdomain -platform_app }
    apk_data_file:dir_file_class_set
    { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
-    apk_tmp_file:dir_file_class_set
-    { create write setattr relabelfrom relabelto append unlink link rename };
 neverallow { appdomain -platform_app }
    apk_private_data_file:dir_file_class_set
    { create write setattr relabelfrom relabelto append unlink link rename };
@ -139,11 +136,15 @@ neverallow appdomain
    { create write setattr relabelfrom relabelto append unlink link rename };

 # access tmp apk files
-neverallow { appdomain -untrusted_app_all -platform_app -priv_app }
+neverallow { appdomain -platform_app }
+    apk_tmp_file:dir_file_class_set
+    { create write setattr relabelfrom relabelto append unlink link rename };
+
+neverallow { appdomain -untrusted_app_all -platform_app -priv_app -isolated_app_all }
    { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;

-neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
-neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };
+neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
+neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };

 # Access to factory files.
 neverallow appdomain efs_file:dir_file_class_set write;