4b33d68d35
When upgrading a package, PackageParser acts on the temporary
APK file copied from the install location. This is passed to
idmap, which doesn't have read access because it's missing an
SELinux rule.
This is needed to fix a bug with manifest overlaying on updating
an app, a feature kept alive for Q.
Relevant logs when updating a target:
[ 550.068083] type=1400 audit(1556124408.583:3812): avc: denied { read } for comm="idmap" name="base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[ 550.090115] type=1400 audit(1556124408.583:3812): avc: denied { read } for comm="idmap" name="base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[ 550.092064] type=1400 audit(1556124408.603:3813): avc: denied { open } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[ 550.096202] type=1400 audit(1556124408.603:3813): avc: denied { open } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[ 550.098459] type=1400 audit(1556124408.613:3814): avc: denied { map } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[ 550.101640] type=1400 audit(1556124408.613:3814): avc: denied { map } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[ 550.104239] type=1400 audit(1556124408.613:3815): avc: denied { getattr } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
Bug: 130559507
Test: manual adb push /system/product/app/TestApp.apk with
/system/product/overlay/TestOverlay.apk enabling disabled launcher
Activity in TestApp; adb install -r TestApp.apk keeps enabled state
with changes
Change-Id: Ieeb7fb4f79ae091d0febf42ca358e7ffdfa6c3ff
(cherry picked from commit 7e7291a763)
30 lines
1.1 KiB
Text
30 lines
1.1 KiB
Text
# idmap, when executed by installd
|
|
type idmap, domain;
|
|
type idmap_exec, system_file_type, exec_type, file_type;
|
|
|
|
# TODO remove /system/bin/idmap and the link between idmap and installd (b/118711077)
|
|
# Use open file to /data/resource-cache file inherited from installd.
|
|
allow idmap installd:fd use;
|
|
allow idmap resourcecache_data_file:file create_file_perms;
|
|
allow idmap resourcecache_data_file:dir rw_dir_perms;
|
|
|
|
# Ignore reading /proc/<pid>/maps after a fork.
|
|
dontaudit idmap installd:file read;
|
|
|
|
# Open and read from target and overlay apk files passed by argument.
|
|
allow idmap apk_data_file:file r_file_perms;
|
|
allow idmap apk_data_file:dir search;
|
|
|
|
# Allow /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
|
|
allow idmap { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
|
|
allow idmap { apk_tmp_file apk_private_tmp_file }:dir search;
|
|
|
|
# Allow apps access to /vendor/app
|
|
r_dir_file(idmap, vendor_app_file)
|
|
|
|
# Allow apps access to /vendor/overlay
|
|
r_dir_file(idmap, vendor_overlay_file)
|
|
|
|
# Allow the idmap2d binary to register as a service and communicate via AIDL
|
|
binder_use(idmap)
|
|
add_service(idmap, idmap_service)
|