Home | History | Annotate | Download | only in sepolicy 
      1 # installer daemon
      2 type installd, domain, domain_deprecated;
      3 type installd_exec, exec_type, file_type;
      4 
      5 init_daemon_domain(installd)
      6 typeattribute installd mlstrustedsubject;
      7 allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
      8 
      9 # Allow labeling of files under /data/app/com.example/oat/
     10 allow installd dalvikcache_data_file:dir relabelto;
     11 allow installd dalvikcache_data_file:file { relabelto link };
     12 
     13 # Allow movement of APK files between volumes
     14 allow installd apk_data_file:dir { create_dir_perms relabelfrom };
     15 allow installd apk_data_file:file { create_file_perms relabelfrom link };
     16 allow installd apk_data_file:lnk_file { create read unlink };
     17 
     18 allow installd asec_apk_file:file r_file_perms;
     19 allow installd apk_tmp_file:file { r_file_perms unlink };
     20 allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
     21 allow installd oemfs:dir r_dir_perms;
     22 allow installd oemfs:file r_file_perms;
     23 allow installd cgroup:dir create_dir_perms;
     24 allow installd mnt_expand_file:dir { search getattr };
     25 # Check validity of SELinux context before use.
     26 selinux_check_context(installd)
     27 # Read /seapp_contexts and /data/security/seapp_contexts
     28 security_access_policy(installd)
     29 
     30 # Search /data/app-asec and stat files in it.
     31 allow installd asec_image_file:dir search;
     32 allow installd asec_image_file:file getattr;
     33 
     34 # Create /data/user and /data/user/0 if necessary.
     35 # Also required to initially create /data/data subdirectories
     36 # and lib symlinks before the setfilecon call.  May want to
     37 # move symlink creation after setfilecon in installd.
     38 allow installd system_data_file:dir create_dir_perms;
     39 allow installd system_data_file:lnk_file { create setattr unlink };
     40 
     41 # Upgrade /data/media for multi-user if necessary.
     42 allow installd media_rw_data_file:dir create_dir_perms;
     43 allow installd media_rw_data_file:file { getattr unlink };
     44 # restorecon new /data/media directory.
     45 allow installd system_data_file:dir relabelfrom;
     46 allow installd media_rw_data_file:dir relabelto;
     47 
     48 # Upgrade /data/misc/keychain for multi-user if necessary.
     49 allow installd misc_user_data_file:dir create_dir_perms;
     50 allow installd misc_user_data_file:file create_file_perms;
     51 allow installd keychain_data_file:dir create_dir_perms;
     52 allow installd keychain_data_file:file {r_file_perms unlink};
     53 
     54 # Create /data/.layout_version.* file
     55 type_transition installd system_data_file:file install_data_file;
     56 allow installd install_data_file:file create_file_perms;
     57 
     58 # Create files under /data/dalvik-cache.
     59 allow installd dalvikcache_data_file:dir create_dir_perms;
     60 allow installd dalvikcache_data_file:file create_file_perms;
     61 
     62 # Create files under /data/resource-cache.
     63 allow installd resourcecache_data_file:dir rw_dir_perms;
     64 allow installd resourcecache_data_file:file create_file_perms;
     65 
     66 # Run dex2oat in its own sandbox.
     67 domain_auto_trans(installd, dex2oat_exec, dex2oat)
     68 
     69 # Run profman in its own sandbox.
     70 domain_auto_trans(installd, profman_exec, profman)
     71 
     72 # Run idmap in its own sandbox.
     73 domain_auto_trans(installd, idmap_exec, idmap)
     74 
     75 # Upgrade from unlabeled userdata.
     76 # Just need enough to remove and/or relabel it.
     77 allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
     78 allow installd unlabeled:notdevfile_class_set { getattr relabelfrom rename unlink setattr };
     79 # Read pkg.apk file for input during dexopt.
     80 allow installd unlabeled:file r_file_perms;
     81 
     82 # Upgrade from before system_app_data_file was used for system UID apps.
     83 # Just need enough to relabel it and to unlink removed package files.
     84 # Directory access covered by earlier rule above.
     85 allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlink };
     86 
     87 # Manage /data/data subdirectories, including initially labeling them
     88 # upon creation via setfilecon or running restorecon_recursive,
     89 # setting owner/mode, creating symlinks within them, and deleting them
     90 # upon package uninstall.
     91 # Types extracted from seapp_contexts type= fields.
     92 allow installd {
     93     system_app_data_file
     94     bluetooth_data_file
     95     nfc_data_file
     96     radio_data_file
     97     shell_data_file
     98     app_data_file
     99     autoplay_data_file
    100 }:dir { create_dir_perms relabelfrom relabelto };
    101 
    102 allow installd {
    103     system_app_data_file
    104     bluetooth_data_file
    105     nfc_data_file
    106     radio_data_file
    107     shell_data_file
    108     app_data_file
    109     autoplay_data_file
    110 }:notdevfile_class_set { create_file_perms relabelfrom relabelto };
    111 
    112 # Similar for the files under /data/misc/profiles/
    113 allow installd user_profile_data_file:dir create_dir_perms;
    114 allow installd user_profile_data_file:file create_file_perms;
    115 allow installd user_profile_data_file:dir rmdir;
    116 allow installd user_profile_data_file:file unlink;
    117 allow installd user_profile_foreign_dex_data_file:dir { add_name getattr rmdir open read write search remove_name };
    118 allow installd user_profile_foreign_dex_data_file:file { getattr rename unlink };
    119 
    120 # Files created/updated by profman dumps.
    121 allow installd profman_dump_data_file:dir { search add_name write };
    122 allow installd profman_dump_data_file:file { create setattr open write };
    123 
    124 # Create and use pty created by android_fork_execvp().
    125 allow installd devpts:chr_file rw_file_perms;
    126 
    127 # execute toybox for app relocation
    128 allow installd toolbox_exec:file rx_file_perms;
    129