Expand deletion powers to all "sdcard_type".
installd has been deleting files on the primary (emulated) storage device for awhile now, but it was lacking the ability to delete files on secondary (physical) storage devices. Even though we're always going through an sdcardfs layer, the kernel checks our access against the label of the real underlying files. Instead of tediously listing each possible storage label, using "sdcard_type" is more descriptive and future-proof as new filesystems are added. avc: denied { read open } for path="/mnt/media_rw/1B82-12F6/Android/data/com.android.cts.writeexternalstorageapp" dev="loop9p1" ino=1224 scontext=u:r:installd:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1 avc: denied { write search } for name="cache" dev="loop9p1" ino=1225 scontext=u:r:installd:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1 avc: denied { remove_name } for name="probe" dev="loop9p1" ino=1232 scontext=u:r:installd:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1 avc: denied { unlink } for name="probe" dev="loop9p1" ino=1232 scontext=u:r:installd:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=1 avc: denied { rmdir } for name="cache" dev="loop9p1" ino=1225 scontext=u:r:installd:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1 Bug: 113277754 Test: atest android.appsecurity.cts.StorageHostTest Test: atest android.appsecurity.cts.ExternalStorageHostTest Test: atest --test-mapping frameworks/base/services/core/java/com/android/server/pm/ Change-Id: Id79d8f31627c0bfb490b4280c3b0120d0ef699bf
This commit is contained in:
parent
622992fd49
commit
653d0f1f57
@ -67,8 +67,8 @@ allow installd media_rw_data_file:dir relabelto;
|
||||
# Delete /data/media files through sdcardfs, instead of going behind its back
|
||||
allow installd tmpfs:dir r_dir_perms;
|
||||
allow installd storage_file:dir search;
|
||||
allow installd sdcardfs:dir { search open read write remove_name getattr rmdir };
|
||||
allow installd sdcardfs:file { getattr unlink };
|
||||
allow installd sdcard_type:dir { search open read write remove_name getattr rmdir };
|
||||
allow installd sdcard_type:file { getattr unlink };
|
||||
|
||||
# Upgrade /data/misc/keychain for multi-user if necessary.
|
||||
allow installd misc_user_data_file:dir create_dir_perms;
|
||||
|
Loading…
Reference in New Issue
Block a user