dc88dca115
The original concept was to allow separation between /data/data/<pkgdir> files of "platform" apps (signed by one of the four build keys) and untrusted apps. But we had to allow read/write to support passing of open files via Binder or local socket for compatibilty, and it seems that direct open by pathname is in fact used in Android as well, only passing the pathname via Binder or local socket. So there is no real benefit to keeping it as a separate type. Retain a type alias for platform_app_data_file to app_data_file until restorecon /data/data support is in place to provide compatibility. Change-Id: Ic15066f48765322ad40500b2ba2801bb3ced5489 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
32 lines
1.5 KiB
Text
32 lines
1.5 KiB
Text
# installer daemon
|
|
type installd, domain;
|
|
type installd_exec, exec_type, file_type;
|
|
|
|
init_daemon_domain(installd)
|
|
relabelto_domain(installd)
|
|
typeattribute installd mlstrustedsubject;
|
|
allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
|
|
allow installd system_data_file:file create_file_perms;
|
|
allow installd system_data_file:lnk_file create;
|
|
allow installd dalvikcache_data_file:file create_file_perms;
|
|
allow installd data_file_type:dir create_dir_perms;
|
|
allow installd data_file_type:dir { relabelfrom relabelto };
|
|
allow installd data_file_type:{ file_class_set } { getattr unlink };
|
|
allow installd apk_data_file:file r_file_perms;
|
|
allow installd apk_tmp_file:file r_file_perms;
|
|
allow installd system_file:file x_file_perms;
|
|
allow installd cgroup:dir create_dir_perms;
|
|
allow installd download_file:dir { r_dir_perms write remove_name };
|
|
allow installd download_file:file { r_file_perms unlink };
|
|
dontaudit installd self:capability sys_admin;
|
|
# Check validity of SELinux context before use.
|
|
selinux_check_context(installd)
|
|
# Read /seapp_contexts and /data/security/seapp_contexts
|
|
security_access_policy(installd)
|
|
# ASEC
|
|
allow installd app_data_file:lnk_file { create setattr };
|
|
allow installd asec_apk_file:file r_file_perms;
|
|
allow installd bluetooth_data_file:lnk_file { create setattr };
|
|
allow installd nfc_data_file:lnk_file { create setattr };
|
|
allow installd radio_data_file:lnk_file { create setattr };
|
|
allow installd shell_data_file:lnk_file { create setattr };
|