| # installer daemon |
| type installd, domain; |
| type installd_exec, system_file_type, exec_type, file_type; |
| typeattribute installd mlstrustedsubject; |
| allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin kill }; |
| |
| # Allow labeling of files under /data/app/com.example/oat/ |
| allow installd dalvikcache_data_file:dir relabelto; |
| allow installd dalvikcache_data_file:file { relabelto link }; |
| |
| # Allow movement of APK files between volumes |
| allow installd apk_data_file:dir { create_dir_perms relabelfrom }; |
| allow installd apk_data_file:file { create_file_perms relabelfrom link }; |
| allow installd apk_data_file:lnk_file { create r_file_perms unlink }; |
| |
| allow installd asec_apk_file:file r_file_perms; |
| allow installd apk_tmp_file:file { r_file_perms unlink }; |
| allow installd apk_tmp_file:dir { relabelfrom create_dir_perms }; |
| allow installd oemfs:dir r_dir_perms; |
| allow installd oemfs:file r_file_perms; |
| allow installd cgroup:dir create_dir_perms; |
| allow installd cgroup_v2:dir create_dir_perms; |
| allow installd mnt_expand_file:dir { search getattr }; |
| # Check validity of SELinux context before use. |
| selinux_check_context(installd) |
| |
| r_dir_file(installd, rootfs) |
| # Scan through APKs in /system/app and /system/priv-app |
| r_dir_file(installd, system_file) |
| # Scan through APKs in /vendor/app |
| r_dir_file(installd, vendor_app_file) |
| # Scan through JARs in /vendor/framework |
| r_dir_file(installd, vendor_framework_file) |
| # Scan through Runtime Resource Overlay APKs in /vendor/overlay |
| r_dir_file(installd, vendor_overlay_file) |
| # Get file context |
| allow installd file_contexts_file:file r_file_perms; |
| # Get seapp_context |
| allow installd seapp_contexts_file:file r_file_perms; |
| |
| # Search /data/app-asec and stat files in it. |
| allow installd asec_image_file:dir search; |
| allow installd asec_image_file:file getattr; |
| |
| # Required to initially create subdirectories of /data/user/$userId |
| # and lib symlinks before the setfilecon call. May want to |
| # move symlink creation after setfilecon in installd. |
| allow installd system_data_file:dir create_dir_perms; |
| # Also, allow read for lnk_file so that we can process symlinks within |
| # /data/user/$userId when optimizing application code. |
| allow installd system_data_file:lnk_file { create getattr read setattr unlink }; |
| |
| # Manage lower filesystem via pass_through mounts |
| allow installd mnt_pass_through_file:dir r_dir_perms; |
| |
| # Upgrade /data/media for multi-user if necessary. |
| allow installd media_rw_data_file:dir create_dir_perms; |
| allow installd media_rw_data_file:file { getattr unlink }; |
| # restorecon new /data/media directory. |
| allow installd system_data_file:dir relabelfrom; |
| allow installd media_rw_data_file:dir relabelto; |
| |
| # Delete /data/media files through sdcardfs, instead of going behind its back |
| allow installd media_userdir_file:dir r_dir_perms; |
| allow installd tmpfs:dir r_dir_perms; |
| allow installd storage_file:dir search; |
| allow installd { sdcard_type fuse }:dir { search open read write remove_name getattr rmdir }; |
| allow installd { sdcard_type fuse }:file { getattr unlink }; |
| |
| # Create app's mirror data directory in /data_mirror, and bind mount the real directory to it |
| allow installd mirror_data_file:dir { create_dir_perms mounton }; |
| |
| # Upgrade /data/misc/keychain for multi-user if necessary. |
| allow installd system_userdir_file:dir r_dir_perms; |
| allow installd misc_user_data_file:dir create_dir_perms; |
| allow installd misc_user_data_file:file create_file_perms; |
| allow installd keychain_data_file:dir create_dir_perms; |
| allow installd keychain_data_file:file {r_file_perms unlink}; |
| |
| # Create /data/misc/installd/layout_version.* file |
| allow installd install_data_file:file create_file_perms; |
| allow installd install_data_file:dir rw_dir_perms; |
| |
| # Create files under /data/dalvik-cache. |
| allow installd dalvikcache_data_file:dir create_dir_perms; |
| allow installd dalvikcache_data_file:file create_file_perms; |
| allow installd dalvikcache_data_file:lnk_file getattr; |
| |
| # Create files under /data/resource-cache. |
| allow installd resourcecache_data_file:dir rw_dir_perms; |
| allow installd resourcecache_data_file:file create_file_perms; |
| |
| # Upgrade from unlabeled userdata. |
| # Just need enough to remove and/or relabel it. |
| allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir }; |
| allow installd unlabeled:notdevfile_class_set { getattr relabelfrom rename unlink setattr }; |
| # Read pkg.apk file for input during dexopt. |
| allow installd unlabeled:file r_file_perms; |
| |
| # Upgrade from before system_app_data_file was used for system UID apps. |
| # Just need enough to relabel it and to unlink removed package files. |
| # Directory access covered by earlier rule above. |
| allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlink }; |
| |
| # Manage /data/data subdirectories, including initially labeling them |
| # upon creation via setfilecon or running restorecon_recursive, |
| # setting owner/mode, creating symlinks within them, and deleting them |
| # upon package uninstall. |
| allow installd app_data_file_type:dir { create_dir_perms relabelfrom relabelto }; |
| allow installd app_data_file_type:notdevfile_class_set { create_file_perms relabelfrom relabelto }; |
| |
| # Allow setting extended attributes (for project quota IDs) on dirs and files |
| # and to enable project ID inheritance through FS_IOC_SETFLAGS |
| # Added install_data_file to be able to create file under /data/misc/installd/ioctl_check |
| allowxperm installd { app_data_file_type system_data_file install_data_file}:{ dir file } ioctl { |
| FS_IOC_FSGETXATTR |
| FS_IOC_FSSETXATTR |
| FS_IOC_GETFLAGS |
| FS_IOC_SETFLAGS |
| }; |
| |
| # Similar for the files under /data/misc/profiles/ |
| allow installd user_profile_root_file:dir { create_dir_perms relabelfrom }; |
| allow installd user_profile_data_file:dir { create_dir_perms relabelto }; |
| allow installd user_profile_data_file:file create_file_perms; |
| allow installd user_profile_data_file:file unlink; |
| |
| # Allow zygote to unmount mirror directories |
| allow installd labeledfs:filesystem unmount; |
| |
| # Files created/updated by profman dumps. |
| allow installd profman_dump_data_file:dir { search add_name write }; |
| allow installd profman_dump_data_file:file { create setattr open write }; |
| |
| # Create and use pty created by android_fork_execvp(). |
| allow installd devpts:chr_file rw_file_perms; |
| |
| # execute toybox for app relocation |
| allow installd toolbox_exec:file rx_file_perms; |
| |
| # Allow installd to publish a binder service and make binder calls. |
| binder_use(installd) |
| add_service(installd, installd_service) |
| allow installd dumpstate:fifo_file { getattr write }; |
| |
| # Allow installd to call into the system server so it can check permissions. |
| binder_call(installd, system_server) |
| allow installd permission_service:service_manager find; |
| |
| # Allow installd to read and write quotas |
| allow installd block_device:dir { search }; |
| allow installd labeledfs:filesystem { quotaget quotamod }; |
| |
| # Allow installd to delete from /data/preloads when trimming data caches |
| # TODO b/34690396 Remove when time-based purge policy for preloads is implemented in system_server |
| allow installd preloads_data_file:file { r_file_perms unlink }; |
| allow installd preloads_data_file:dir { r_dir_perms write remove_name rmdir }; |
| allow installd preloads_media_file:file { r_file_perms unlink }; |
| allow installd preloads_media_file:dir { r_dir_perms write remove_name rmdir }; |
| |
| # Allow installd to read /proc/filesystems |
| allow installd proc_filesystems:file r_file_perms; |
| |
| #add for move app to sd card |
| get_prop(installd, storage_config_prop) |
| |
| # Allow installd to access apps installed on the Incremental File System |
| # Accessing files on the Incremental File System uses fds opened in the context of vold. |
| allow installd vold:fd use; |
| |
| ### |
| ### Neverallow rules |
| ### |
| |
| # only system_server, installd, dumpstate, and servicemanager may interact with installd over binder |
| neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find; |
| neverallow { domain -system_server -dumpstate -servicemanager } installd:binder call; |
| neverallow installd { |
| domain |
| -system_server |
| -servicemanager |
| userdebug_or_eng(`-su') |
| }:binder call; |