tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/installd.te
Stephen Smalley b335e3847f Run idmap in its own domain. 
Run idmap in its own domain rather than leaving it in installd's domain.
This prevents misuse of installd's permissions by idmap.

zygote also needs to run idmap.  For now, just run it in zygote's
domain as it was previously since that is what is done for dex2oat
invocation by zygote.  zygote appears to run idmap with system uid
while installd runs it with app UIDs, so using different domains
seems appropriate.

Remove system_file execute_no_trans from both installd and zygote;
this should no longer be needed with explicit labels for dex2oat and
idmap.

Change-Id: If47e2c1326b84c20e94a20f5e699300dce12bdfe
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-06-19 14:34:20 -04:00

97 lines
4.3 KiB
Text
Raw Blame History

# installer daemon
type installd, domain;
type installd_exec, exec_type, file_type;
init_daemon_domain(installd)
typeattribute installd mlstrustedsubject;
allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
# Allow labeling of files under /data/app/com.example/oat/
allow installd dalvikcache_data_file:dir relabelto;
allow installd dalvikcache_data_file:file relabelto;
# Allow movement of APK files between volumes
allow installd apk_data_file:dir { create_dir_perms relabelfrom };
allow installd apk_data_file:file { create_file_perms relabelfrom };
allow installd apk_data_file:lnk_file { create read unlink };
allow installd asec_apk_file:file r_file_perms;
allow installd apk_tmp_file:file { r_file_perms unlink };
allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
allow installd oemfs:dir r_dir_perms;
allow installd oemfs:file r_file_perms;
allow installd cgroup:dir create_dir_perms;
allow installd mnt_expand_file:dir search;
# Check validity of SELinux context before use.
selinux_check_context(installd)
# Read /seapp_contexts and /data/security/seapp_contexts
security_access_policy(installd)
# Search /data/app-asec and stat files in it.
allow installd asec_image_file:dir search;
allow installd asec_image_file:file getattr;
# Create /data/user and /data/user/0 if necessary.
# Also required to initially create /data/data subdirectories
# and lib symlinks before the setfilecon call. May want to
# move symlink creation after setfilecon in installd.
allow installd system_data_file:dir create_dir_perms;
allow installd system_data_file:lnk_file { create setattr unlink };
# Upgrade /data/media for multi-user if necessary.
allow installd media_rw_data_file:dir create_dir_perms;
allow installd media_rw_data_file:file { getattr unlink };
# restorecon new /data/media directory.
allow installd system_data_file:dir relabelfrom;
allow installd media_rw_data_file:dir relabelto;
# Upgrade /data/misc/keychain for multi-user if necessary.
allow installd misc_user_data_file:dir create_dir_perms;
allow installd misc_user_data_file:file create_file_perms;
allow installd keychain_data_file:dir create_dir_perms;
allow installd keychain_data_file:file {r_file_perms unlink};
# Create /data/.layout_version.* file
type_transition installd system_data_file:file install_data_file;
allow installd install_data_file:file create_file_perms;
# Create files under /data/dalvik-cache.
allow installd dalvikcache_data_file:dir create_dir_perms;
allow installd dalvikcache_data_file:file create_file_perms;
# Create /data/dalvik-cache/profiles.
allow installd dalvikcache_profiles_data_file:dir rw_dir_perms;
allow installd dalvikcache_profiles_data_file:file create_file_perms;
# Create files under /data/resource-cache.
allow installd resourcecache_data_file:dir rw_dir_perms;
allow installd resourcecache_data_file:file create_file_perms;
# Run dex2oat in its own sandbox.
domain_auto_trans(installd, dex2oat_exec, dex2oat)
# Run idmap in its own sandbox.
domain_auto_trans(installd, idmap_exec, idmap)
# Upgrade from unlabeled userdata.
# Just need enough to remove and/or relabel it.
allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
allow installd unlabeled:notdevfile_class_set { getattr relabelfrom rename unlink setattr };
# Read pkg.apk file for input during dexopt.
allow installd unlabeled:file r_file_perms;
# Upgrade from before system_app_data_file was used for system UID apps.
# Just need enough to relabel it and to unlink removed package files.
# Directory access covered by earlier rule above.
allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlink };
# Manage /data/data subdirectories, including initially labeling them
# upon creation via setfilecon or running restorecon_recursive,
# setting owner/mode, creating symlinks within them, and deleting them
# upon package uninstall.
# Types extracted from seapp_contexts type= fields.
allow installd { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { create_dir_perms relabelfrom relabelto };
allow installd { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:notdevfile_class_set { create_file_perms relabelfrom relabelto };
# Create and use pty created by android_fork_execvp().
allow installd devpts:chr_file rw_file_perms;
Reference in a new issue View git blame Copy permalink