installd: r_dir_file(installd, system_file)
Allow installd to read through files, directories, and symlinks on /system. This is needed to support installd using files in /system/app and /system/priv-app Addresses the following auditallow spam: avc: granted { getattr } for comm="installd" path="/system/app/Bluetooth/lib/arm/libbluetooth_jni.so" dev="mmcblk0p41" ino=19 scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0 tclass=lnk_file avc: granted { getattr } for comm="installd" path="/system/priv-app/MtpDocumentsProvider/lib/arm64/libappfuse_jni.so" dev="dm-0" ino=2305 scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0 tclass=lnk_file avc: granted { read open } for comm="installd" path="/system/priv-app/TelephonyProvider" dev="mmcblk0p43" ino=1839 scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0 tclass=dir avc: granted { read } for comm="installd" name="Velvet" dev="mmcblk0p43" ino=1841 scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0 tclass=dir avc: granted { read open } for comm="installd" path="/system/priv-app/GoogleOneTimeInitializer" dev="mmcblk0p43" ino=1778 scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0 tclass=dir avc: granted { read open } for comm="installd" path="/system/app/PlayAutoInstallConfig" dev="mmcblk0p43" ino=112 scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0 tclass=dir Test: policy compiles Change-Id: I5d14ea2cd7d281f949d0651b9723d5b7fae2e1f2
This commit is contained in:
parent
b0c375d46d
commit
68f233648e
@ -41,9 +41,35 @@ auditallow domain_deprecated device:file read;
|
||||
allow domain_deprecated system_file:dir r_dir_perms;
|
||||
allow domain_deprecated system_file:file r_file_perms;
|
||||
allow domain_deprecated system_file:lnk_file r_file_perms;
|
||||
auditallow { domain_deprecated -appdomain -init -rild -surfaceflinger -system_server -zygote } system_file:dir { open read ioctl lock }; # search getattr in domain
|
||||
auditallow { domain_deprecated -appdomain -init -rild -surfaceflinger -system_server -zygote } system_file:file { ioctl lock }; # read open getattr in domain
|
||||
auditallow { domain_deprecated -appdomain -init -rild -surfaceflinger -system_server -zygote } system_file:lnk_file { getattr open ioctl lock }; # read in domain
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
-appdomain
|
||||
-init
|
||||
-installd
|
||||
-rild
|
||||
-surfaceflinger
|
||||
-system_server
|
||||
-zygote
|
||||
} system_file:dir { open read ioctl lock }; # search getattr in domain
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
-appdomain
|
||||
-init
|
||||
-rild
|
||||
-surfaceflinger
|
||||
-system_server
|
||||
-zygote
|
||||
} system_file:file { ioctl lock }; # read open getattr in domain
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
-appdomain
|
||||
-init
|
||||
-installd
|
||||
-rild
|
||||
-surfaceflinger
|
||||
-system_server
|
||||
-zygote
|
||||
} system_file:lnk_file { getattr open ioctl lock }; # read in domain
|
||||
|
||||
# Read files already opened under /data.
|
||||
allow domain_deprecated system_data_file:file { getattr read };
|
||||
|
@ -25,6 +25,8 @@ allow installd mnt_expand_file:dir { search getattr };
|
||||
selinux_check_context(installd)
|
||||
|
||||
r_dir_file(installd, rootfs)
|
||||
# Scan through APKs in /system/app and /system/priv-app
|
||||
r_dir_file(installd, system_file)
|
||||
|
||||
# Search /data/app-asec and stat files in it.
|
||||
allow installd asec_image_file:dir search;
|
||||
|
Loading…
Reference in New Issue
Block a user