004bd4e0b6
91a4f8d4fd created system_app_data_file,
and assigned all system_apps to use this file type. For testing purposes,
our automated testing infrastructure sideloads shared system UID apks.
Installd does not have permission to create the lib symlink, so the
installation fails.
Allow installd to create this symlink.
repro:
adb install AppLaunch.apk
276 KB/s (8414 bytes in 0.029s)
pkg: /data/local/tmp/AppLaunch.apk
Failure [INSTALL_FAILED_INTERNAL_ERROR]
logcat:
05-08 23:16:36.336 605 637 I PackageManager: Copying native libraries to /data/app-lib/vmdl609237490
05-08 23:16:36.338 605 637 W asset : Installing empty resources in to table 0x5e89a368
05-08 23:16:36.359 193 193 W installd: type=1400 audit(0.0:29): avc: denied { create } for name="lib" scontext=u:r:installd:s0 tcontext=u:object_r:system_app_data_file:s0 tclass=lnk_file
05-08 23:16:36.363 193 193 E installd: couldn't symlink directory '/data/data/com.android.tests.applaunch/lib' -> '/data/app-lib/com.android.tests.applaunch-1': Permission denied
05-08 23:16:36.364 605 637 W PackageManager: Failed linking native library dir (user=0)
05-08 23:16:36.364 605 637 W PackageManager: Package couldn't be installed in /data/app/com.android.tests.applaunch-1.apk
Bug: 14659632
Change-Id: Iac4890302cd070aa3f71553af217f343ed7b8bc3
51 lines
2.7 KiB
Text
51 lines
2.7 KiB
Text
# installer daemon
|
|
type installd, domain;
|
|
type installd_exec, exec_type, file_type;
|
|
|
|
init_daemon_domain(installd)
|
|
relabelto_domain(installd)
|
|
typeattribute installd mlstrustedsubject;
|
|
allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
|
|
allow installd system_data_file:file create_file_perms;
|
|
allow installd system_data_file:lnk_file create;
|
|
allow installd dalvikcache_data_file:file create_file_perms;
|
|
allow installd dalvikcache_profiles_data_file:dir create_dir_perms;
|
|
allow installd dalvikcache_profiles_data_file:file create_file_perms;
|
|
allow installd { data_file_type -keystore_data_file }:dir create_dir_perms;
|
|
allow installd { data_file_type -keystore_data_file }:dir { relabelfrom relabelto };
|
|
allow installd { data_file_type -keystore_data_file }:{ file_class_set } { getattr unlink };
|
|
allow installd apk_data_file:file r_file_perms;
|
|
allow installd apk_tmp_file:file r_file_perms;
|
|
allow installd oemfs:dir r_dir_perms;
|
|
allow installd oemfs:file r_file_perms;
|
|
allow installd system_file:file x_file_perms;
|
|
allow installd cgroup:dir create_dir_perms;
|
|
# Check validity of SELinux context before use.
|
|
selinux_check_context(installd)
|
|
# Read /seapp_contexts and /data/security/seapp_contexts
|
|
security_access_policy(installd)
|
|
# ASEC
|
|
allow installd app_data_file:lnk_file { create setattr };
|
|
allow installd asec_apk_file:file r_file_perms;
|
|
allow installd bluetooth_data_file:lnk_file { create setattr };
|
|
allow installd nfc_data_file:lnk_file { create setattr };
|
|
allow installd radio_data_file:lnk_file { create setattr };
|
|
allow installd shell_data_file:lnk_file { create setattr };
|
|
allow installd system_app_data_file:lnk_file { create setattr };
|
|
# restorecon /data/data
|
|
allow installd unlabeled:dir relabelfrom;
|
|
allow installd unlabeled:notdevfile_class_set relabelfrom;
|
|
allow installd system_data_file:dir relabelfrom;
|
|
allow installd system_data_file:notdevfile_class_set relabelfrom;
|
|
allow installd system_app_data_file:dir { relabelfrom relabelto };
|
|
allow installd system_app_data_file:notdevfile_class_set { relabelfrom relabelto };
|
|
allow installd bluetooth_data_file:dir { relabelfrom relabelto };
|
|
allow installd bluetooth_data_file:notdevfile_class_set { relabelfrom relabelto };
|
|
allow installd nfc_data_file:dir { relabelfrom relabelto };
|
|
allow installd nfc_data_file:notdevfile_class_set { relabelfrom relabelto };
|
|
allow installd radio_data_file:dir { relabelfrom relabelto };
|
|
allow installd radio_data_file:notdevfile_class_set { relabelfrom relabelto };
|
|
allow installd app_data_file:dir { relabelfrom relabelto };
|
|
allow installd app_data_file:notdevfile_class_set { relabelfrom relabelto };
|
|
allow installd shell_data_file:dir { relabelfrom relabelto };
|
|
allow installd shell_data_file:notdevfile_class_set { relabelfrom relabelto };
|