tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/installd.te
Nick Kralevich 75d63fcfd2 Put dex2oat in it's own sandbox 
Currently, dex2oat runs in the installd sandbox, and has
all the SELinux capabilities that installd does. That's too
excessive.

dex2oat handles untrusted user data, so we want to put it in
it's own tighter sandbox.

Bug: 15358102
Change-Id: I08083b84b9769e24d6dad6dbd12401987cb006be
2014-07-10 15:33:11 -07:00

81 lines
3.9 KiB
Text
Raw Blame History

# installer daemon
type installd, domain;
type installd_exec, exec_type, file_type;
init_daemon_domain(installd)
typeattribute installd mlstrustedsubject;
allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
allow installd apk_data_file:file rename;
allow installd apk_data_file:dir create_dir_perms;
allow installd apk_data_file:lnk_file { create read unlink };
allow installd asec_apk_file:file r_file_perms;
allow installd apk_tmp_file:file r_file_perms;
allow installd oemfs:dir r_dir_perms;
allow installd oemfs:file r_file_perms;
allow installd system_file:file x_file_perms;
allow installd cgroup:dir create_dir_perms;
# Check validity of SELinux context before use.
selinux_check_context(installd)
# Read /seapp_contexts and /data/security/seapp_contexts
security_access_policy(installd)
# Search /data/app-asec and stat files in it.
allow installd asec_image_file:dir search;
allow installd asec_image_file:file getattr;
# Create /data/user and /data/user/0 if necessary.
# Also required to initially create /data/data subdirectories
# and lib symlinks before the setfilecon call. May want to
# move symlink creation after setfilecon in installd.
allow installd system_data_file:dir create_dir_perms;
allow installd system_data_file:lnk_file { create setattr unlink };
# Upgrade /data/media for multi-user if necessary.
allow installd media_rw_data_file:dir create_dir_perms;
allow installd media_rw_data_file:file { getattr unlink };
# restorecon new /data/media directory.
allow installd system_data_file:dir relabelfrom;
allow installd media_rw_data_file:dir relabelto;
# Create /data/.layout_version.* file
type_transition installd system_data_file:file install_data_file;
allow installd install_data_file:file create_file_perms;
# Create files under /data/dalvik-cache.
allow installd dalvikcache_data_file:dir create_dir_perms;
allow installd dalvikcache_data_file:file create_file_perms;
# Create /data/dalvik-cache/profiles.
allow installd dalvikcache_profiles_data_file:dir rw_dir_perms;
allow installd dalvikcache_profiles_data_file:file create_file_perms;
# Create files under /data/resource-cache.
allow installd resourcecache_data_file:dir rw_dir_perms;
allow installd resourcecache_data_file:file create_file_perms;
# Run dex2oat in its own sandbox.
domain_auto_trans(installd, dex2oat_exec, dex2oat)
# dex2oat needs LD_PRELOAD, passed down from init
# https://android-review.googlesource.com/94851
allow installd dex2oat:process noatsecure;
# Upgrade from unlabeled userdata.
# Just need enough to remove and/or relabel it.
allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
allow installd unlabeled:notdevfile_class_set { getattr relabelfrom rename unlink setattr };
# Read pkg.apk file for input during dexopt.
allow installd unlabeled:file r_file_perms;
# Upgrade from before system_app_data_file was used for system UID apps.
# Just need enough to relabel it and to unlink removed package files.
# Directory access covered by earlier rule above.
allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlink };
# Manage /data/data subdirectories, including initially labeling them
# upon creation via setfilecon or running restorecon_recursive,
# setting owner/mode, creating symlinks within them, and deleting them
# upon package uninstall.
# Types extracted from seapp_contexts type= fields.
allow installd { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { create_dir_perms relabelfrom relabelto };
allow installd { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:lnk_file { create setattr getattr unlink rename relabelfrom relabelto };
allow installd { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:{ file sock_file fifo_file } { getattr unlink rename relabelfrom relabelto setattr };
Reference in a new issue View git blame Copy permalink