Rules to allow installing package directories.
Earlier changes had extended the rules, but some additional changes
are needed.
avc: denied { relabelfrom } for name="vmdl-723825123.tmp"
dev="mmcblk0p28" ino=162910 scontext=u:r:system_server:s0
tcontext=u:object_r:apk_data_file:s0 tclass=dir
Bug: 14975160
Change-Id: Ia644c73ec10460a2a529fe197ade6afe46694651
This commit is contained in:
Jeff Sharkey
parent
0c9a873a78
commit
c02c98d327
2 changed files with 12 additions and 10 deletions
|
|
@ -179,10 +179,10 @@
|
|||
/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
|
||||
/data/dalvik-cache/profiles(/.*)? u:object_r:dalvikcache_profiles_data_file:s0
|
||||
/data/anr(/.*)? u:object_r:anr_data_file:s0
|
||||
/data/app(/.*)? u:object_r:apk_data_file:s0
|
||||
/data/app/vmdl.*\.tmp u:object_r:apk_tmp_file:s0
|
||||
/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
|
||||
/data/app-private/vmdl.*\.tmp u:object_r:apk_private_tmp_file:s0
|
||||
/data/app(/.*)? u:object_r:apk_data_file:s0
|
||||
/data/app/vmdl.*\.tmp(/.*)? u:object_r:apk_tmp_file:s0
|
||||
/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
|
||||
/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
|
||||
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
|
||||
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
|
||||
/data/media(/.*)? u:object_r:media_rw_data_file:s0
|
||||
|
|
@ -236,7 +236,7 @@
|
|||
|
||||
#############################
|
||||
# asec containers
|
||||
/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
|
||||
/mnt/asec/[^/]+/res\.zip u:object_r:asec_public_file:s0
|
||||
/mnt/asec/[^/]+/lib(/.*)? u:object_r:asec_public_file:s0
|
||||
/data/app-asec(/.*)? u:object_r:asec_image_file:s0
|
||||
/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
|
||||
/mnt/asec/[^/]+/[^/]+\.zip u:object_r:asec_public_file:s0
|
||||
/mnt/asec/[^/]+/lib(/.*)? u:object_r:asec_public_file:s0
|
||||
/data/app-asec(/.*)? u:object_r:asec_image_file:s0
|
||||
|
|
|
|||
|
|
@ -171,11 +171,13 @@ allow system_server system_data_file:notdevfile_class_set create_file_perms;
|
|||
# Manage /data/app.
|
||||
allow system_server apk_data_file:dir create_dir_perms;
|
||||
allow system_server apk_data_file:file create_file_perms;
|
||||
allow system_server apk_tmp_file:dir create_dir_perms;
|
||||
allow system_server apk_tmp_file:file create_file_perms;
|
||||
|
||||
# Manage /data/app-private.
|
||||
allow system_server apk_private_data_file:dir create_dir_perms;
|
||||
allow system_server apk_private_data_file:file create_file_perms;
|
||||
allow system_server apk_private_tmp_file:dir create_dir_perms;
|
||||
allow system_server apk_private_tmp_file:file create_file_perms;
|
||||
|
||||
# Manage files within asec containers.
|
||||
|
|
@ -252,8 +254,8 @@ allow system_server media_rw_data_file:file { getattr read write };
|
|||
security_access_policy(system_server)
|
||||
|
||||
# Relabel apk files.
|
||||
allow system_server { apk_tmp_file apk_private_tmp_file }:file { relabelfrom relabelto };
|
||||
allow system_server { apk_data_file apk_private_data_file }:file { relabelfrom relabelto };
|
||||
allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
|
||||
allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
|
||||
|
||||
# Relabel wallpaper.
|
||||
allow system_server system_data_file:file relabelfrom;
|
||||
|
|
|
|||
Loading…
Reference in a new issue