f5e90004a3
bluetooth, nfc, radio and shell are not explicitly declared
in installd.te. This prevents applications in those group
from upgrading by "adb install -r".
You can reproduce the issue by following step:
1. adb pull /system/priv-app/Shell.apk
2. adb install -r Shell.apk
3. install failed with the error log blow
[Error in logcat]
E/installd( 338): couldn't symlink directory '/data/data/com.android.shell/lib' -> '/data/app-lib/com.android.shell-1': Permission denied
E/installd( 338): couldn't symlink directory '/data/data/com.android.shell/lib' -> '/data/app-lib/Shell': Permission denied
[Error in dmesg]
<5>[ 112.053301] type=1400 audit(1387412796.071:10): avc: denied { create } for pid=337 comm="installd" name="lib" scontext=u:r:installd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=lnk_file
This operation fails only if the app belongs to any of the
groups specified in the commit title.
Change-Id: I7572df9fb6e471fad34f61137f0eeeda4c82659d
33 lines
1.5 KiB
Text
33 lines
1.5 KiB
Text
# installer daemon
|
|
type installd, domain;
|
|
type installd_exec, exec_type, file_type;
|
|
|
|
init_daemon_domain(installd)
|
|
relabelto_domain(installd)
|
|
typeattribute installd mlstrustedsubject;
|
|
allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
|
|
allow installd system_data_file:file create_file_perms;
|
|
allow installd system_data_file:lnk_file create;
|
|
allow installd dalvikcache_data_file:file create_file_perms;
|
|
allow installd data_file_type:dir create_dir_perms;
|
|
allow installd data_file_type:dir { relabelfrom relabelto };
|
|
allow installd data_file_type:{ file_class_set } { getattr unlink };
|
|
allow installd apk_data_file:file r_file_perms;
|
|
allow installd apk_tmp_file:file r_file_perms;
|
|
allow installd system_file:file x_file_perms;
|
|
allow installd cgroup:dir create_dir_perms;
|
|
allow installd download_file:dir { r_dir_perms };
|
|
allow installd download_file:file { r_file_perms };
|
|
dontaudit installd self:capability sys_admin;
|
|
# Check validity of SELinux context before use.
|
|
selinux_check_context(installd)
|
|
# Read /seapp_contexts and /data/security/seapp_contexts
|
|
security_access_policy(installd)
|
|
# ASEC
|
|
allow installd platform_app_data_file:lnk_file { create setattr };
|
|
allow installd app_data_file:lnk_file { create setattr };
|
|
allow installd asec_apk_file:file r_file_perms;
|
|
allow installd bluetooth_data_file:lnk_file { create setattr };
|
|
allow installd nfc_data_file:lnk_file { create setattr };
|
|
allow installd radio_data_file:lnk_file { create setattr };
|
|
allow installd shell_data_file:lnk_file { create setattr };
|