7aa40413ae
user_profile_data_file is mlstrustedobject. And it needs to be, because we want untrusted apps to be able to write to their profile files, but they do not have levels. But now we want to apply levels in the parent directories that have the same label, and we want them to work so they need to not be MLS-exempt. To resolve that we introduce a new label, user_profile_root_file, which is applied to those directories (but no files). We grant mostly the same access to the new label as directories with the existing label. Apart from appdomain, almost every domain which accesses user_profile_data_file, and now user_profile_root_file, is already mlstrustedsubject and so can't be affected by this change. The exception is postinstall_dexopt which we now make mlstrustedobject. Bug: 141677108 Bug: 175311045 Test: Manual: flash with wipe Test: Manual: flash on top of older version Test: Manual: install & uninstall apps Test: Manual: create & remove user Test: Presubmits. Change-Id: I4e0def3d513b129d6c292f7edb076db341b4a2b3
171 lines
7.4 KiB
Text
171 lines
7.4 KiB
Text
# installer daemon
|
|
type installd, domain;
|
|
type installd_exec, system_file_type, exec_type, file_type;
|
|
typeattribute installd mlstrustedsubject;
|
|
allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin };
|
|
|
|
# Allow labeling of files under /data/app/com.example/oat/
|
|
allow installd dalvikcache_data_file:dir relabelto;
|
|
allow installd dalvikcache_data_file:file { relabelto link };
|
|
|
|
# Allow movement of APK files between volumes
|
|
allow installd apk_data_file:dir { create_dir_perms relabelfrom };
|
|
allow installd apk_data_file:file { create_file_perms relabelfrom link };
|
|
allow installd apk_data_file:lnk_file { create r_file_perms unlink };
|
|
|
|
# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY (or in old implementation used in installd,
|
|
# FS_IOC_SET_VERITY_MEASUREMENT) ioctls on APKs in /data/app, to support fsverity.
|
|
# TODO(b/120629632): this path is deprecated, remove when possible.
|
|
allowxperm installd apk_data_file:file ioctl {
|
|
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
|
|
};
|
|
|
|
allow installd asec_apk_file:file r_file_perms;
|
|
allow installd apk_tmp_file:file { r_file_perms unlink };
|
|
allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
|
|
allow installd oemfs:dir r_dir_perms;
|
|
allow installd oemfs:file r_file_perms;
|
|
allow installd cgroup:dir create_dir_perms;
|
|
allow installd mnt_expand_file:dir { search getattr };
|
|
# Check validity of SELinux context before use.
|
|
selinux_check_context(installd)
|
|
|
|
r_dir_file(installd, rootfs)
|
|
# Scan through APKs in /system/app and /system/priv-app
|
|
r_dir_file(installd, system_file)
|
|
# Scan through APKs in /vendor/app
|
|
r_dir_file(installd, vendor_app_file)
|
|
# Scan through JARs in /vendor/framework
|
|
r_dir_file(installd, vendor_framework_file)
|
|
# Scan through Runtime Resource Overlay APKs in /vendor/overlay
|
|
r_dir_file(installd, vendor_overlay_file)
|
|
# Get file context
|
|
allow installd file_contexts_file:file r_file_perms;
|
|
# Get seapp_context
|
|
allow installd seapp_contexts_file:file r_file_perms;
|
|
|
|
# Search /data/app-asec and stat files in it.
|
|
allow installd asec_image_file:dir search;
|
|
allow installd asec_image_file:file getattr;
|
|
|
|
# Create /data/user and /data/user/0 if necessary.
|
|
# Also required to initially create /data/data subdirectories
|
|
# and lib symlinks before the setfilecon call. May want to
|
|
# move symlink creation after setfilecon in installd.
|
|
allow installd system_data_file:dir create_dir_perms;
|
|
# Also, allow read for lnk_file so that we can process /data/user/0 links when
|
|
# optimizing application code.
|
|
allow installd system_data_file:lnk_file { create getattr read setattr unlink };
|
|
|
|
# Manage lower filesystem via pass_through mounts
|
|
allow installd mnt_pass_through_file:dir r_dir_perms;
|
|
|
|
# Upgrade /data/media for multi-user if necessary.
|
|
allow installd media_rw_data_file:dir create_dir_perms;
|
|
allow installd media_rw_data_file:file { getattr unlink };
|
|
# restorecon new /data/media directory.
|
|
allow installd system_data_file:dir relabelfrom;
|
|
allow installd media_rw_data_file:dir relabelto;
|
|
|
|
# Delete /data/media files through sdcardfs, instead of going behind its back
|
|
allow installd tmpfs:dir r_dir_perms;
|
|
allow installd storage_file:dir search;
|
|
allow installd sdcard_type:dir { search open read write remove_name getattr rmdir };
|
|
allow installd sdcard_type:file { getattr unlink };
|
|
|
|
# Create app's mirror data directory in /data_mirror, and bind mount the real directory to it
|
|
allow installd mirror_data_file:dir { create_dir_perms mounton };
|
|
|
|
# Upgrade /data/misc/keychain for multi-user if necessary.
|
|
allow installd misc_user_data_file:dir create_dir_perms;
|
|
allow installd misc_user_data_file:file create_file_perms;
|
|
allow installd keychain_data_file:dir create_dir_perms;
|
|
allow installd keychain_data_file:file {r_file_perms unlink};
|
|
|
|
# Create /data/misc/installd/layout_version.* file
|
|
allow installd install_data_file:file create_file_perms;
|
|
allow installd install_data_file:dir rw_dir_perms;
|
|
|
|
# Create files under /data/dalvik-cache.
|
|
allow installd dalvikcache_data_file:dir create_dir_perms;
|
|
allow installd dalvikcache_data_file:file create_file_perms;
|
|
allow installd dalvikcache_data_file:lnk_file getattr;
|
|
|
|
# Create files under /data/resource-cache.
|
|
allow installd resourcecache_data_file:dir rw_dir_perms;
|
|
allow installd resourcecache_data_file:file create_file_perms;
|
|
|
|
# Upgrade from unlabeled userdata.
|
|
# Just need enough to remove and/or relabel it.
|
|
allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
|
|
allow installd unlabeled:notdevfile_class_set { getattr relabelfrom rename unlink setattr };
|
|
# Read pkg.apk file for input during dexopt.
|
|
allow installd unlabeled:file r_file_perms;
|
|
|
|
# Upgrade from before system_app_data_file was used for system UID apps.
|
|
# Just need enough to relabel it and to unlink removed package files.
|
|
# Directory access covered by earlier rule above.
|
|
allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlink };
|
|
|
|
# Manage /data/data subdirectories, including initially labeling them
|
|
# upon creation via setfilecon or running restorecon_recursive,
|
|
# setting owner/mode, creating symlinks within them, and deleting them
|
|
# upon package uninstall.
|
|
allow installd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
|
|
allow installd app_data_file_type:notdevfile_class_set { create_file_perms relabelfrom relabelto };
|
|
|
|
# Similar for the files under /data/misc/profiles/
|
|
allow installd user_profile_root_file:dir { create_dir_perms relabelfrom };
|
|
allow installd user_profile_data_file:dir { create_dir_perms relabelto };
|
|
allow installd user_profile_data_file:file create_file_perms;
|
|
allow installd user_profile_data_file:file unlink;
|
|
|
|
# Allow zygote to unmount mirror directories
|
|
allow installd labeledfs:filesystem unmount;
|
|
|
|
# Files created/updated by profman dumps.
|
|
allow installd profman_dump_data_file:dir { search add_name write };
|
|
allow installd profman_dump_data_file:file { create setattr open write };
|
|
|
|
# Create and use pty created by android_fork_execvp().
|
|
allow installd devpts:chr_file rw_file_perms;
|
|
|
|
# execute toybox for app relocation
|
|
allow installd toolbox_exec:file rx_file_perms;
|
|
|
|
# Allow installd to publish a binder service and make binder calls.
|
|
binder_use(installd)
|
|
add_service(installd, installd_service)
|
|
allow installd dumpstate:fifo_file { getattr write };
|
|
|
|
# Allow installd to call into the system server so it can check permissions.
|
|
binder_call(installd, system_server)
|
|
allow installd permission_service:service_manager find;
|
|
|
|
# Allow installd to read and write quotas
|
|
allow installd block_device:dir { search };
|
|
allow installd labeledfs:filesystem { quotaget quotamod };
|
|
|
|
# Allow installd to delete from /data/preloads when trimming data caches
|
|
# TODO b/34690396 Remove when time-based purge policy for preloads is implemented in system_server
|
|
allow installd preloads_data_file:file { r_file_perms unlink };
|
|
allow installd preloads_data_file:dir { r_dir_perms write remove_name rmdir };
|
|
allow installd preloads_media_file:file { r_file_perms unlink };
|
|
allow installd preloads_media_file:dir { r_dir_perms write remove_name rmdir };
|
|
|
|
# Allow installd to read /proc/filesystems
|
|
allow installd proc_filesystems:file r_file_perms;
|
|
|
|
###
|
|
### Neverallow rules
|
|
###
|
|
|
|
# only system_server, installd, dumpstate, and servicemanager may interact with installd over binder
|
|
neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find;
|
|
neverallow { domain -system_server -dumpstate -servicemanager } installd:binder call;
|
|
neverallow installd {
|
|
domain
|
|
-system_server
|
|
-servicemanager
|
|
userdebug_or_eng(`-su')
|
|
}:binder call;
|