Home | History | Annotate | Download | only in sepolicy 
      1 # installer daemon
      2 type installd, domain;
      3 type installd_exec, exec_type, file_type;
      4 
      5 init_daemon_domain(installd)
      6 typeattribute installd mlstrustedsubject;
      7 allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
      8 
      9 # Allow labeling of files under /data/app/com.example/oat/
     10 allow installd dalvikcache_data_file:dir relabelto;
     11 allow installd dalvikcache_data_file:file { relabelto link };
     12 
     13 # Allow movement of APK files between volumes
     14 allow installd apk_data_file:dir { create_dir_perms relabelfrom };
     15 allow installd apk_data_file:file { create_file_perms relabelfrom link };
     16 allow installd apk_data_file:lnk_file { create read unlink };
     17 
     18 allow installd asec_apk_file:file r_file_perms;
     19 allow installd apk_tmp_file:file { r_file_perms unlink };
     20 allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
     21 allow installd oemfs:dir r_dir_perms;
     22 allow installd oemfs:file r_file_perms;
     23 allow installd system_file:file x_file_perms;
     24 allow installd cgroup:dir create_dir_perms;
     25 allow installd mnt_expand_file:dir { search getattr };
     26 # Check validity of SELinux context before use.
     27 selinux_check_context(installd)
     28 # Read /seapp_contexts and /data/security/seapp_contexts
     29 security_access_policy(installd)
     30 
     31 # Search /data/app-asec and stat files in it.
     32 allow installd asec_image_file:dir search;
     33 allow installd asec_image_file:file getattr;
     34 
     35 # Create /data/user and /data/user/0 if necessary.
     36 # Also required to initially create /data/data subdirectories
     37 # and lib symlinks before the setfilecon call.  May want to
     38 # move symlink creation after setfilecon in installd.
     39 allow installd system_data_file:dir create_dir_perms;
     40 allow installd system_data_file:lnk_file { create setattr unlink };
     41 
     42 # Upgrade /data/media for multi-user if necessary.
     43 allow installd media_rw_data_file:dir create_dir_perms;
     44 allow installd media_rw_data_file:file { getattr unlink };
     45 # restorecon new /data/media directory.
     46 allow installd system_data_file:dir relabelfrom;
     47 allow installd media_rw_data_file:dir relabelto;
     48 
     49 # Upgrade /data/misc/keychain for multi-user if necessary.
     50 allow installd misc_user_data_file:dir create_dir_perms;
     51 allow installd misc_user_data_file:file create_file_perms;
     52 allow installd keychain_data_file:dir create_dir_perms;
     53 allow installd keychain_data_file:file {r_file_perms unlink};
     54 
     55 # Create /data/.layout_version.* file
     56 type_transition installd system_data_file:file install_data_file;
     57 allow installd install_data_file:file create_file_perms;
     58 
     59 # Create files under /data/dalvik-cache.
     60 allow installd dalvikcache_data_file:dir create_dir_perms;
     61 allow installd dalvikcache_data_file:file create_file_perms;
     62 
     63 # Create /data/dalvik-cache/profiles.
     64 allow installd dalvikcache_profiles_data_file:dir rw_dir_perms;
     65 allow installd dalvikcache_profiles_data_file:file create_file_perms;
     66 
     67 # Create files under /data/resource-cache.
     68 allow installd resourcecache_data_file:dir rw_dir_perms;
     69 allow installd resourcecache_data_file:file create_file_perms;
     70 
     71 # Run dex2oat in its own sandbox.
     72 domain_auto_trans(installd, dex2oat_exec, dex2oat)
     73 
     74 # Upgrade from unlabeled userdata.
     75 # Just need enough to remove and/or relabel it.
     76 allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
     77 allow installd unlabeled:notdevfile_class_set { getattr relabelfrom rename unlink setattr };
     78 # Read pkg.apk file for input during dexopt.
     79 allow installd unlabeled:file r_file_perms;
     80 
     81 # Upgrade from before system_app_data_file was used for system UID apps.
     82 # Just need enough to relabel it and to unlink removed package files.
     83 # Directory access covered by earlier rule above.
     84 allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlink };
     85 
     86 # Manage /data/data subdirectories, including initially labeling them
     87 # upon creation via setfilecon or running restorecon_recursive,
     88 # setting owner/mode, creating symlinks within them, and deleting them
     89 # upon package uninstall.
     90 # Types extracted from seapp_contexts type= fields.
     91 allow installd { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { create_dir_perms relabelfrom relabelto };
     92 allow installd { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:notdevfile_class_set { create_file_perms relabelfrom relabelto };
     93 
     94 # Create and use pty created by android_fork_execvp().
     95 allow installd devpts:chr_file rw_file_perms;
     96