Allow isolated to read staged apks
type=1400 audit(0.0:835): avc: denied { read } for path="/data/app/vmdl1923101285.tmp/base.apk" dev="dm-37" ino=29684 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=0 Bug: 308775782 Bug: 316442990 Test: Flashed to device with and without this change, confirmed that this change allows an isolated process to read already opened staged apk file (cherry picked from https://android-review.googlesource.com/q/commit:cf2694bf863fc31ac5862b92bb9258136de57932) Merged-In: I7226bae79344c3b2a5a0f59940dde6d64a8a7ea1 Change-Id: I7226bae79344c3b2a5a0f59940dde6d64a8a7ea1
This commit is contained in:
parent
4a14ebeb3e
commit
7b73ec2605
@ -32,6 +32,9 @@ allow isolated_app_all app_zygote:unix_dgram_socket write;
|
||||
# suppress denials to /data/local/tmp
|
||||
dontaudit isolated_app_all shell_data_file:dir search;
|
||||
|
||||
# Allow to read (but not open) staged apks.
|
||||
allow isolated_app_all { apk_tmp_file apk_private_tmp_file }:file { read getattr };
|
||||
|
||||
#####
|
||||
##### Neverallow
|
||||
#####
|
||||
|
@ -109,9 +109,6 @@ neverallow appdomain drm_data_file:dir_file_class_set
|
||||
neverallow { appdomain -platform_app }
|
||||
apk_data_file:dir_file_class_set
|
||||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
neverallow { appdomain -platform_app }
|
||||
apk_tmp_file:dir_file_class_set
|
||||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
neverallow { appdomain -platform_app }
|
||||
apk_private_data_file:dir_file_class_set
|
||||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
@ -139,11 +136,15 @@ neverallow appdomain
|
||||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
|
||||
# access tmp apk files
|
||||
neverallow { appdomain -untrusted_app_all -platform_app -priv_app }
|
||||
neverallow { appdomain -platform_app }
|
||||
apk_tmp_file:dir_file_class_set
|
||||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
|
||||
neverallow { appdomain -untrusted_app_all -platform_app -priv_app -isolated_app_all }
|
||||
{ apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;
|
||||
|
||||
neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
|
||||
neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };
|
||||
neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
|
||||
neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };
|
||||
|
||||
# Access to factory files.
|
||||
neverallow appdomain efs_file:dir_file_class_set write;
|
||||
|
Loading…
Reference in New Issue
Block a user