platform_system_sepolicy/public/installd.te
Alan Stokes 06bac37f51 Installd doesn't need to create cgroup files.
cgroupfs doesn't allow files to be created, so this can't be needed.

Also remove redundant neverallow and dontaudit rules. These are now
more broadly handled by domain.te.

Bug: 74182216

Test: Denials remain silenced.

Change-Id: If7eb0e59f567695d987272a2fd36dbc251516e9f

(cherry picked from commit 8e8c109350)
2018-04-09 13:49:13 +01:00

160 lines
6.7 KiB
Text

# installer daemon
type installd, domain;
type installd_exec, exec_type, file_type;
typeattribute installd mlstrustedsubject;
allow installd self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid sys_admin };
# Allow labeling of files under /data/app/com.example/oat/
allow installd dalvikcache_data_file:dir relabelto;
allow installd dalvikcache_data_file:file { relabelto link };
# Allow movement of APK files between volumes
allow installd apk_data_file:dir { create_dir_perms relabelfrom };
allow installd apk_data_file:file { create_file_perms relabelfrom link };
allow installd apk_data_file:lnk_file { create r_file_perms unlink };
allow installd asec_apk_file:file r_file_perms;
allow installd apk_tmp_file:file { r_file_perms unlink };
allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
allow installd oemfs:dir r_dir_perms;
allow installd oemfs:file r_file_perms;
allow installd cgroup:dir create_dir_perms;
allow installd mnt_expand_file:dir { search getattr };
# Check validity of SELinux context before use.
selinux_check_context(installd)
r_dir_file(installd, rootfs)
# Scan through APKs in /system/app and /system/priv-app
r_dir_file(installd, system_file)
# Scan through APKs in /vendor/app
r_dir_file(installd, vendor_app_file)
# Scan through Runtime Resource Overlay APKs in /vendor/overlay
r_dir_file(installd, vendor_overlay_file)
# Get file context
allow installd file_contexts_file:file r_file_perms;
# Get seapp_context
allow installd seapp_contexts_file:file r_file_perms;
# Search /data/app-asec and stat files in it.
allow installd asec_image_file:dir search;
allow installd asec_image_file:file getattr;
# Create /data/user and /data/user/0 if necessary.
# Also required to initially create /data/data subdirectories
# and lib symlinks before the setfilecon call. May want to
# move symlink creation after setfilecon in installd.
allow installd system_data_file:dir create_dir_perms;
# Also, allow read for lnk_file so that we can process /data/user/0 links when
# optimizing application code.
allow installd system_data_file:lnk_file { create getattr read setattr unlink };
# Upgrade /data/media for multi-user if necessary.
allow installd media_rw_data_file:dir create_dir_perms;
allow installd media_rw_data_file:file { getattr unlink };
# restorecon new /data/media directory.
allow installd system_data_file:dir relabelfrom;
allow installd media_rw_data_file:dir relabelto;
# Delete /data/media files through sdcardfs, instead of going behind its back
allow installd tmpfs:dir r_dir_perms;
allow installd storage_file:dir search;
allow installd sdcardfs:dir { search open read write remove_name getattr rmdir };
allow installd sdcardfs:file { getattr unlink };
# Upgrade /data/misc/keychain for multi-user if necessary.
allow installd misc_user_data_file:dir create_dir_perms;
allow installd misc_user_data_file:file create_file_perms;
allow installd keychain_data_file:dir create_dir_perms;
allow installd keychain_data_file:file {r_file_perms unlink};
# Create /data/.layout_version.* file
allow installd install_data_file:file create_file_perms;
# Create files under /data/dalvik-cache.
allow installd dalvikcache_data_file:dir create_dir_perms;
allow installd dalvikcache_data_file:file create_file_perms;
allow installd dalvikcache_data_file:lnk_file getattr;
# Create files under /data/resource-cache.
allow installd resourcecache_data_file:dir rw_dir_perms;
allow installd resourcecache_data_file:file create_file_perms;
# Upgrade from unlabeled userdata.
# Just need enough to remove and/or relabel it.
allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
allow installd unlabeled:notdevfile_class_set { getattr relabelfrom rename unlink setattr };
# Read pkg.apk file for input during dexopt.
allow installd unlabeled:file r_file_perms;
# Upgrade from before system_app_data_file was used for system UID apps.
# Just need enough to relabel it and to unlink removed package files.
# Directory access covered by earlier rule above.
allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlink };
# Manage /data/data subdirectories, including initially labeling them
# upon creation via setfilecon or running restorecon_recursive,
# setting owner/mode, creating symlinks within them, and deleting them
# upon package uninstall.
# Types extracted from seapp_contexts type= fields.
allow installd {
system_app_data_file
bluetooth_data_file
nfc_data_file
radio_data_file
shell_data_file
app_data_file
}:dir { create_dir_perms relabelfrom relabelto };
allow installd {
system_app_data_file
bluetooth_data_file
nfc_data_file
radio_data_file
shell_data_file
app_data_file
}:notdevfile_class_set { create_file_perms relabelfrom relabelto };
# Similar for the files under /data/misc/profiles/
allow installd user_profile_data_file:dir create_dir_perms;
allow installd user_profile_data_file:file create_file_perms;
allow installd user_profile_data_file:dir rmdir;
allow installd user_profile_data_file:file unlink;
# Files created/updated by profman dumps.
allow installd profman_dump_data_file:dir { search add_name write };
allow installd profman_dump_data_file:file { create setattr open write };
# Create and use pty created by android_fork_execvp().
allow installd devpts:chr_file rw_file_perms;
# execute toybox for app relocation
allow installd toolbox_exec:file rx_file_perms;
# Allow installd to publish a binder service and make binder calls.
binder_use(installd)
add_service(installd, installd_service)
allow installd dumpstate:fifo_file { getattr write };
# Allow installd to call into the system server so it can check permissions.
binder_call(installd, system_server)
allow installd permission_service:service_manager find;
# Allow installd to read and write quotas
allow installd block_device:dir { search };
allow installd labeledfs:filesystem { quotaget quotamod };
# Allow installd to delete from /data/preloads when trimming data caches
# TODO b/34690396 Remove when time-based purge policy for preloads is implemented in system_server
allow installd preloads_data_file:file { r_file_perms unlink };
allow installd preloads_data_file:dir { r_dir_perms write remove_name rmdir };
allow installd preloads_media_file:file { r_file_perms unlink };
allow installd preloads_media_file:dir { r_dir_perms write remove_name rmdir };
###
### Neverallow rules
###
# only system_server, installd and dumpstate may interact with installd over binder
neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find;
neverallow { domain -system_server -dumpstate } installd:binder call;
neverallow installd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;