Allow isolated to read staged apks

type=1400 audit(0.0:835): avc: denied { read } for path="/data/app/vmdl1923101285.tmp/base.apk" dev="dm-37" ino=29684 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=0 Bug: 308775782 Bug: 316442990 Test: Flashed to device with and without this change, confirmed that this change allows an isolated process to read already opened staged apk file (cherry picked from https://android-review.googlesource.com/q/commit:cf2694bf863fc31ac5862b92bb9258136de57932) Merged-In: I7226bae79344c3b2a5a0f59940dde6d64a8a7ea1 Change-Id: I7226bae79344c3b2a5a0f59940dde6d64a8a7ea1
2023-11-30 19:37:43 +00:00 · 2023-11-30 19:37:43 +00:00 · 7b73ec2605
commit 7b73ec2605
parent 4a14ebeb3e
2 changed files with 10 additions and 6 deletions
--- a/private/isolated_app_all.te
+++ b/private/isolated_app_all.te
@ -32,6 +32,9 @@ allow isolated_app_all app_zygote:unix_dgram_socket write;
 # suppress denials to /data/local/tmp
 dontaudit isolated_app_all shell_data_file:dir search;

+# Allow to read (but not open) staged apks.
+allow isolated_app_all { apk_tmp_file apk_private_tmp_file }:file { read getattr };
+
 #####
 ##### Neverallow
 #####
--- a/public/app.te
+++ b/public/app.te
@ -109,9 +109,6 @@ neverallow appdomain drm_data_file:dir_file_class_set
 neverallow { appdomain -platform_app }
    apk_data_file:dir_file_class_set
    { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
-    apk_tmp_file:dir_file_class_set
-    { create write setattr relabelfrom relabelto append unlink link rename };
 neverallow { appdomain -platform_app }
    apk_private_data_file:dir_file_class_set
    { create write setattr relabelfrom relabelto append unlink link rename };
@ -139,11 +136,15 @@ neverallow appdomain
    { create write setattr relabelfrom relabelto append unlink link rename };

 # access tmp apk files
-neverallow { appdomain -untrusted_app_all -platform_app -priv_app }
+neverallow { appdomain -platform_app }
+    apk_tmp_file:dir_file_class_set
+    { create write setattr relabelfrom relabelto append unlink link rename };
+
+neverallow { appdomain -untrusted_app_all -platform_app -priv_app -isolated_app_all }
    { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;

-neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
-neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };
+neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
+neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };

 # Access to factory files.
 neverallow appdomain efs_file:dir_file_class_set write;