permissions for incremental control file
=== for mounting and create file === 02-12 21:09:41.828 593 593 I Binder:593_2: type=1400 audit(0.0:832): avc: denied { relabelto } for name=".pending_reads" dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 02-12 21:09:41.838 593 593 I Binder:593_2: type=1400 audit(0.0:833): avc: denied { read } for name=".pending_reads" dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 02-12 21:09:41.838 593 593 I Binder:593_2: type=1400 audit(0.0:834): avc: denied { open } for path="/data/incremental/MT_data_incremental_tmp_1485189518/mount/.pending_reads" dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 02-12 21:09:41.838 593 593 I Binder:593_2: type=1400 audit(0.0:835): avc: denied { getattr } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 02-12 21:09:41.838 593 593 I Binder:593_2: type=1400 audit(0.0:836): avc: denied { read } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 02-12 21:09:41.841 1429 1429 I PackageInstalle: type=1400 audit(0.0:837): avc: denied { ioctl } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 ioctlcmd=0x671e scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 === for reading signature from file === 02-12 21:09:47.931 8972 8972 I android.vending: type=1400 audit(0.0:848): avc: denied { ioctl } for path="/data/app/vmdl951541350.tmp/base.apk" dev="incremental-fs" ino=6416 ioctlcmd=0x671f scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 app=com.android.vending 02-12 21:09:47.994 1429 1429 I AppIntegrityMan: type=1400 audit(0.0:849): avc: denied { ioctl } for path="/data/app/vmdl951541350.tmp/base.apk" dev="incremental-fs" ino=6416 ioctlcmd=0x671f scontext=u:r:system_server:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 02-12 21:09:50.034 8972 8972 I com.android.vending: type=1400 audit(0.0:850): avc: denied { ioctl } for comm=62674578656375746F72202332 path="/data/app/vmdl951541350.tmp/base.apk" dev="incremental-fs" ino=6416 ioctlcmd=0x671f scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 app=com.android.vending 02-12 21:09:52.914 1429 1429 I PackageManager: type=1400 audit(0.0:851): avc: denied { ioctl } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 ioctlcmd=0x671e scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 === data loader app reading from log file === 02-12 22:09:19.741 1417 1417 I Binder:1417_3: type=1400 audit(0.0:654): avc: denied { read } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F3131393237303339342F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:system_app:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 02-12 22:09:19.741 15903 15903 I Binder:15903_4: type=1400 audit(0.0:655): avc: denied { getattr } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F3131393237303339342F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:system_app:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 Test: manual with incremental installation BUG: 133435829 Change-Id: Ie973be6bc63faf8fe98c9e684060e9c81d124e6e
This commit is contained in:
parent
b1512f3ab7
commit
3922253de9
@ -146,6 +146,10 @@ dontaudit priv_app { wifi_prop exported_wifi_prop }:file read;
|
||||
allow priv_app system_server:udp_socket {
|
||||
connect getattr read recvfrom sendto write getopt setopt };
|
||||
|
||||
# allow apps like Phonesky to check the file signature of an apk installed on
|
||||
# the Incremental File System
|
||||
allowxperm priv_app apk_data_file:file ioctl INCFS_IOCTL_READ_SIGNATURE;
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
@ -72,6 +72,9 @@ allow system_app asec_apk_file:file r_file_perms;
|
||||
# Allow system_app (adb data loader) to write data to /data/incremental
|
||||
allow system_app apk_data_file:file write;
|
||||
|
||||
# Allow system app (adb data loader) to read logs
|
||||
allow system_app incremental_control_file:file r_file_perms;
|
||||
|
||||
# Allow system apps (like Settings) to interact with statsd
|
||||
binder_call(system_app, statsd)
|
||||
|
||||
|
@ -24,6 +24,13 @@ allow system_server appdomain_tmpfs:file { getattr map read write };
|
||||
# For Incremental Service to check if incfs is available
|
||||
allow system_server proc_filesystems:file r_file_perms;
|
||||
|
||||
# To create files on Incremental File System
|
||||
allow system_server incremental_control_file:file { ioctl r_file_perms };
|
||||
allowxperm system_server incremental_control_file:file ioctl INCFS_IOCTL_CREATE_FILE;
|
||||
|
||||
# To get signature of an APK installed on Incremental File System
|
||||
allowxperm system_server apk_data_file:file ioctl INCFS_IOCTL_READ_SIGNATURE;
|
||||
|
||||
# For art.
|
||||
allow system_server dalvikcache_data_file:dir r_dir_perms;
|
||||
allow system_server dalvikcache_data_file:file r_file_perms;
|
||||
|
@ -1055,6 +1055,8 @@ define(`IMGETDEVINFO', `0x80044944')
|
||||
define(`IMGETVERSION', `0x80044942')
|
||||
define(`IMHOLD_L1', `0x80044948')
|
||||
define(`IMSETDEVNAME', `0x80184947')
|
||||
define(`INCFS_IOCTL_CREATE_FILE', `0x0000671e')
|
||||
define(`INCFS_IOCTL_READ_SIGNATURE', `0x0000671f')
|
||||
define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
|
||||
define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
|
||||
define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
|
||||
|
@ -132,6 +132,8 @@ allow vold apk_data_file:dir { mounton rw_dir_perms };
|
||||
allow vold apk_data_file:file rw_file_perms;
|
||||
# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
|
||||
allow vold apk_tmp_file:dir { mounton r_dir_perms };
|
||||
# Allow to read incremental control file and call selinux restorecon on it
|
||||
allow vold incremental_control_file:file { r_file_perms relabelto };
|
||||
|
||||
allow vold tmpfs:filesystem { mount unmount };
|
||||
allow vold tmpfs:dir create_dir_perms;
|
||||
|
Loading…
Reference in New Issue
Block a user