installd: enable SELinux restrictions
This change enables SELinux security enforcement on the installd
process.
For the installd.te file only, this change is equivalent to reverting
the following commits:
* 50e37b93ac97631dcac6961285b92af5026557af
* 77d4731e9d30c8971e076e2469d6957619019921
No other changes were required.
Testing: As much as possible, I've tested that package installation
works, from both adb and via Android market. There were no denials
in the kernel dmesg log, and everything appears to be working correctly.
It's quite possible I've missed something. If we experience problems,
I'm happy to roll back this change.
Bug: 9662644
Change-Id: Id93d4ee7b517dfa28c9a0b1d45d936b56892ac0a
diff --git a/installd.te b/installd.te
index 4ad5513..428e379 100644
--- a/installd.te
+++ b/installd.te
@@ -1,7 +1,26 @@
# installer daemon
type installd, domain;
-permissive installd;
type installd_exec, exec_type, file_type;
init_daemon_domain(installd)
-unconfined_domain(installd)
+typeattribute installd mlstrustedsubject;
+allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
+allow installd system_data_file:file create_file_perms;
+allow installd system_data_file:lnk_file create;
+allow installd dalvikcache_data_file:file create_file_perms;
+allow installd data_file_type:dir create_dir_perms;
+allow installd data_file_type:dir { relabelfrom relabelto };
+allow installd data_file_type:{ file lnk_file } { getattr unlink };
+allow installd apk_data_file:file r_file_perms;
+allow installd apk_tmp_file:file r_file_perms;
+allow installd system_file:file x_file_perms;
+allow installd cgroup:dir create_dir_perms;
+dontaudit installd self:capability sys_admin;
+# Check validity of SELinux context before use.
+selinux_check_context(installd)
+# Read /seapp_contexts and /data/security/seapp_contexts
+security_access_policy(installd)
+# ASEC
+allow installd platform_app_data_file:lnk_file { create setattr };
+allow installd app_data_file:lnk_file { create setattr };
+allow installd asec_apk_file:file r_file_perms;