From cf2694bf863fc31ac5862b92bb9258136de57932 Mon Sep 17 00:00:00 2001 From: Marie Matheson Date: Thu, 30 Nov 2023 19:37:43 +0000 Subject: [PATCH] Allow isolated to read staged apks type=1400 audit(0.0:835): avc: denied { read } for path="/data/app/vmdl1923101285.tmp/base.apk" dev="dm-37" ino=29684 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=0 Bug: 308775782 Test: Flashed to device with and without this change, confirmed that this change allows an isolated process to read already opened staged apk file Change-Id: I7226bae79344c3b2a5a0f59940dde6d64a8a7ea1 --- private/isolated_app_all.te | 3 +++ public/app.te | 13 +++++++------ 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/private/isolated_app_all.te b/private/isolated_app_all.te index 189d06405..1ffcabe6e 100644 --- a/private/isolated_app_all.te +++ b/private/isolated_app_all.te @@ -32,6 +32,9 @@ allow isolated_app_all app_zygote:unix_dgram_socket write; # suppress denials to /data/local/tmp dontaudit isolated_app_all shell_data_file:dir search; +# Allow to read (but not open) staged apks. +allow isolated_app_all { apk_tmp_file apk_private_tmp_file }:file { read getattr }; + ##### ##### Neverallow ##### diff --git a/public/app.te b/public/app.te index a45149f35..b53991304 100644 --- a/public/app.te +++ b/public/app.te @@ -109,9 +109,6 @@ neverallow appdomain drm_data_file:dir_file_class_set neverallow { appdomain -platform_app } apk_data_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; -neverallow { appdomain -platform_app } - apk_tmp_file:dir_file_class_set - { create write setattr relabelfrom relabelto append unlink link rename }; neverallow { appdomain -platform_app } apk_private_data_file:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; @@ -139,11 +136,15 @@ neverallow appdomain { create write setattr relabelfrom relabelto append unlink link rename }; # access tmp apk files -neverallow { appdomain -untrusted_app_all -platform_app -priv_app } +neverallow { appdomain -platform_app } + apk_tmp_file:dir_file_class_set + { create write setattr relabelfrom relabelto append unlink link rename }; + +neverallow { appdomain -untrusted_app_all -platform_app -priv_app -isolated_app_all } { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *; -neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *; -neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read }; +neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *; +neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read }; # Access to factory files. neverallow appdomain efs_file:dir_file_class_set write;