Home | History | Annotate | Download | only in sepolicy 
      1 # installer daemon
      2 type installd, domain;
      3 type installd_exec, exec_type, file_type;
      4 
      5 init_daemon_domain(installd)
      6 typeattribute installd mlstrustedsubject;
      7 allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
      8 allow installd apk_data_file:file rename;
      9 allow installd apk_data_file:dir create_dir_perms;
     10 allow installd apk_data_file:lnk_file { create read unlink };
     11 allow installd asec_apk_file:file r_file_perms;
     12 allow installd apk_tmp_file:file r_file_perms;
     13 allow installd oemfs:dir r_dir_perms;
     14 allow installd oemfs:file r_file_perms;
     15 allow installd system_file:file x_file_perms;
     16 allow installd cgroup:dir create_dir_perms;
     17 # Check validity of SELinux context before use.
     18 selinux_check_context(installd)
     19 # Read /seapp_contexts and /data/security/seapp_contexts
     20 security_access_policy(installd)
     21 
     22 # Search /data/app-asec and stat files in it.
     23 allow installd asec_image_file:dir search;
     24 allow installd asec_image_file:file getattr;
     25 
     26 # Create /data/user and /data/user/0 if necessary.
     27 # Also required to initially create /data/data subdirectories
     28 # and lib symlinks before the setfilecon call.  May want to
     29 # move symlink creation after setfilecon in installd.
     30 allow installd system_data_file:dir create_dir_perms;
     31 allow installd system_data_file:lnk_file { create setattr unlink };
     32 
     33 # Upgrade /data/media for multi-user if necessary.
     34 allow installd media_rw_data_file:dir create_dir_perms;
     35 allow installd media_rw_data_file:file { getattr unlink };
     36 # restorecon new /data/media directory.
     37 allow installd system_data_file:dir relabelfrom;
     38 allow installd media_rw_data_file:dir relabelto;
     39 
     40 # Upgrade /data/misc/keychain for multi-user if necessary.
     41 allow installd misc_user_data_file:dir create_dir_perms;
     42 allow installd misc_user_data_file:file create_file_perms;
     43 allow installd keychain_data_file:dir create_dir_perms;
     44 allow installd keychain_data_file:file {r_file_perms unlink};
     45 
     46 # Create /data/.layout_version.* file
     47 type_transition installd system_data_file:file install_data_file;
     48 allow installd install_data_file:file create_file_perms;
     49 
     50 # Create files under /data/dalvik-cache.
     51 allow installd dalvikcache_data_file:dir create_dir_perms;
     52 allow installd dalvikcache_data_file:file create_file_perms;
     53 
     54 # Create /data/dalvik-cache/profiles.
     55 allow installd dalvikcache_profiles_data_file:dir rw_dir_perms;
     56 allow installd dalvikcache_profiles_data_file:file create_file_perms;
     57 
     58 # Create files under /data/resource-cache.
     59 allow installd resourcecache_data_file:dir rw_dir_perms;
     60 allow installd resourcecache_data_file:file create_file_perms;
     61 
     62 # Run dex2oat in its own sandbox.
     63 domain_auto_trans(installd, dex2oat_exec, dex2oat)
     64 # dex2oat needs LD_PRELOAD, passed down from init
     65 # https://android-review.googlesource.com/94851
     66 allow installd dex2oat:process noatsecure;
     67 
     68 # Upgrade from unlabeled userdata.
     69 # Just need enough to remove and/or relabel it.
     70 allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
     71 allow installd unlabeled:notdevfile_class_set { getattr relabelfrom rename unlink setattr };
     72 # Read pkg.apk file for input during dexopt.
     73 allow installd unlabeled:file r_file_perms;
     74 
     75 # Upgrade from before system_app_data_file was used for system UID apps.
     76 # Just need enough to relabel it and to unlink removed package files.
     77 # Directory access covered by earlier rule above.
     78 allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlink };
     79 
     80 # Manage /data/data subdirectories, including initially labeling them
     81 # upon creation via setfilecon or running restorecon_recursive,
     82 # setting owner/mode, creating symlinks within them, and deleting them
     83 # upon package uninstall.
     84 # Types extracted from seapp_contexts type= fields.
     85 allow installd { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { create_dir_perms relabelfrom relabelto };
     86 allow installd { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:lnk_file { create setattr getattr unlink rename relabelfrom relabelto };
     87 allow installd { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:{ file sock_file fifo_file } { getattr unlink rename relabelfrom relabelto setattr };
     88