platform_system_sepolicy/prebuilts/api/30.0/public/installd.te
Inseob Kim 5131ff6544 DO NOT MERGE Add fake 30.0 prebuilts
This prebuilt is based on the AOSP policy, but slightly manipulated so
that the set of types and attributes are identical with R policy.

Following types are removed.

boot_status_prop
dalvik_config_prop
gnss_device
surfaceflinger_color_prop
surfaceflinger_prop
systemsound_config_prop
vold_config_prop
vold_status_prop

Following type is renamed.

wificond_service -> wifinl80211_service

Bug: 153661471
Test: N/A
Change-Id: I018d5e43f53c2bf721db1d13f5f4be42b9782b29
2020-05-11 13:18:52 +09:00

190 lines
7.7 KiB
Text

# installer daemon
type installd, domain;
type installd_exec, system_file_type, exec_type, file_type;
typeattribute installd mlstrustedsubject;
allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin };
# Allow labeling of files under /data/app/com.example/oat/
allow installd dalvikcache_data_file:dir relabelto;
allow installd dalvikcache_data_file:file { relabelto link };
# Allow movement of APK files between volumes
allow installd apk_data_file:dir { create_dir_perms relabelfrom };
allow installd apk_data_file:file { create_file_perms relabelfrom link };
allow installd apk_data_file:lnk_file { create r_file_perms unlink };
# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY (or in old implementation used in installd,
# FS_IOC_SET_VERITY_MEASUREMENT) ioctls on APKs in /data/app, to support fsverity.
# TODO(b/120629632): this path is deprecated, remove when possible.
allowxperm installd apk_data_file:file ioctl {
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
};
allow installd asec_apk_file:file r_file_perms;
allow installd apk_tmp_file:file { r_file_perms unlink };
allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
allow installd oemfs:dir r_dir_perms;
allow installd oemfs:file r_file_perms;
allow installd cgroup:dir create_dir_perms;
allow installd mnt_expand_file:dir { search getattr };
# Check validity of SELinux context before use.
selinux_check_context(installd)
r_dir_file(installd, rootfs)
# Scan through APKs in /system/app and /system/priv-app
r_dir_file(installd, system_file)
# Scan through APKs in /vendor/app
r_dir_file(installd, vendor_app_file)
# Scan through JARs in /vendor/framework
r_dir_file(installd, vendor_framework_file)
# Scan through Runtime Resource Overlay APKs in /vendor/overlay
r_dir_file(installd, vendor_overlay_file)
# Get file context
allow installd file_contexts_file:file r_file_perms;
# Get seapp_context
allow installd seapp_contexts_file:file r_file_perms;
# Search /data/app-asec and stat files in it.
allow installd asec_image_file:dir search;
allow installd asec_image_file:file getattr;
# Create /data/user and /data/user/0 if necessary.
# Also required to initially create /data/data subdirectories
# and lib symlinks before the setfilecon call. May want to
# move symlink creation after setfilecon in installd.
allow installd system_data_file:dir create_dir_perms;
# Also, allow read for lnk_file so that we can process /data/user/0 links when
# optimizing application code.
allow installd system_data_file:lnk_file { create getattr read setattr unlink };
# Manage lower filesystem via pass_through mounts
allow installd mnt_pass_through_file:dir r_dir_perms;
# Upgrade /data/media for multi-user if necessary.
allow installd media_rw_data_file:dir create_dir_perms;
allow installd media_rw_data_file:file { getattr unlink };
# restorecon new /data/media directory.
allow installd system_data_file:dir relabelfrom;
allow installd media_rw_data_file:dir relabelto;
# Delete /data/media files through sdcardfs, instead of going behind its back
allow installd tmpfs:dir r_dir_perms;
allow installd storage_file:dir search;
allow installd sdcard_type:dir { search open read write remove_name getattr rmdir };
allow installd sdcard_type:file { getattr unlink };
# Create app's mirror data directory in /data_mirror, and bind mount the real directory to it
allow installd mirror_data_file:dir { create_dir_perms mounton };
# Upgrade /data/misc/keychain for multi-user if necessary.
allow installd misc_user_data_file:dir create_dir_perms;
allow installd misc_user_data_file:file create_file_perms;
allow installd keychain_data_file:dir create_dir_perms;
allow installd keychain_data_file:file {r_file_perms unlink};
# Create /data/misc/installd/layout_version.* file
allow installd install_data_file:file create_file_perms;
allow installd install_data_file:dir rw_dir_perms;
# Create files under /data/dalvik-cache.
allow installd dalvikcache_data_file:dir create_dir_perms;
allow installd dalvikcache_data_file:file create_file_perms;
allow installd dalvikcache_data_file:lnk_file getattr;
# Create files under /data/resource-cache.
allow installd resourcecache_data_file:dir rw_dir_perms;
allow installd resourcecache_data_file:file create_file_perms;
# Upgrade from unlabeled userdata.
# Just need enough to remove and/or relabel it.
allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
allow installd unlabeled:notdevfile_class_set { getattr relabelfrom rename unlink setattr };
# Read pkg.apk file for input during dexopt.
allow installd unlabeled:file r_file_perms;
# Upgrade from before system_app_data_file was used for system UID apps.
# Just need enough to relabel it and to unlink removed package files.
# Directory access covered by earlier rule above.
allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlink };
# Manage /data/data subdirectories, including initially labeling them
# upon creation via setfilecon or running restorecon_recursive,
# setting owner/mode, creating symlinks within them, and deleting them
# upon package uninstall.
# Types extracted from seapp_contexts type= fields.
allow installd {
system_app_data_file
bluetooth_data_file
nfc_data_file
radio_data_file
shell_data_file
app_data_file
privapp_data_file
}:dir { create_dir_perms relabelfrom relabelto };
allow installd {
system_app_data_file
bluetooth_data_file
nfc_data_file
radio_data_file
shell_data_file
app_data_file
privapp_data_file
}:notdevfile_class_set { create_file_perms relabelfrom relabelto };
# Allow zygote to unmount mirror directories
allow installd labeledfs:filesystem unmount;
# Similar for the files under /data/misc/profiles/
allow installd user_profile_data_file:dir create_dir_perms;
allow installd user_profile_data_file:file create_file_perms;
allow installd user_profile_data_file:dir rmdir;
allow installd user_profile_data_file:file unlink;
# Files created/updated by profman dumps.
allow installd profman_dump_data_file:dir { search add_name write };
allow installd profman_dump_data_file:file { create setattr open write };
# Create and use pty created by android_fork_execvp().
allow installd devpts:chr_file rw_file_perms;
# execute toybox for app relocation
allow installd toolbox_exec:file rx_file_perms;
# Allow installd to publish a binder service and make binder calls.
binder_use(installd)
add_service(installd, installd_service)
allow installd dumpstate:fifo_file { getattr write };
# Allow installd to call into the system server so it can check permissions.
binder_call(installd, system_server)
allow installd permission_service:service_manager find;
# Allow installd to read and write quotas
allow installd block_device:dir { search };
allow installd labeledfs:filesystem { quotaget quotamod };
# Allow installd to delete from /data/preloads when trimming data caches
# TODO b/34690396 Remove when time-based purge policy for preloads is implemented in system_server
allow installd preloads_data_file:file { r_file_perms unlink };
allow installd preloads_data_file:dir { r_dir_perms write remove_name rmdir };
allow installd preloads_media_file:file { r_file_perms unlink };
allow installd preloads_media_file:dir { r_dir_perms write remove_name rmdir };
# Allow installd to read /proc/filesystems
allow installd proc_filesystems:file r_file_perms;
###
### Neverallow rules
###
# only system_server, installd, dumpstate, and servicemanager may interact with installd over binder
neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find;
neverallow { domain -system_server -dumpstate -servicemanager } installd:binder call;
neverallow installd {
domain
-system_server
-servicemanager
userdebug_or_eng(`-su')
}:binder call;