From 68f233648ed3e413050c6d33848f570fc24a5398 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 7 Nov 2016 16:14:28 -0800
Subject: [PATCH] installd: r_dir_file(installd, system_file)

Allow installd to read through files, directories, and symlinks
on /system. This is needed to support installd using files in
/system/app and /system/priv-app

Addresses the following auditallow spam:

avc: granted { getattr } for comm="installd"
path="/system/app/Bluetooth/lib/arm/libbluetooth_jni.so"
dev="mmcblk0p41" ino=19 scontext=u:r:installd:s0
tcontext=u:object_r:system_file:s0 tclass=lnk_file

avc: granted { getattr } for comm="installd"
path="/system/priv-app/MtpDocumentsProvider/lib/arm64/libappfuse_jni.so"
dev="dm-0" ino=2305 scontext=u:r:installd:s0
tcontext=u:object_r:system_file:s0 tclass=lnk_file

avc: granted { read open } for comm="installd"
path="/system/priv-app/TelephonyProvider" dev="mmcblk0p43" ino=1839
scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0 tclass=dir

avc: granted { read } for comm="installd" name="Velvet" dev="mmcblk0p43"
ino=1841 scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0
tclass=dir

avc: granted { read open } for comm="installd"
path="/system/priv-app/GoogleOneTimeInitializer" dev="mmcblk0p43"
ino=1778 scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0
tclass=dir

avc: granted { read open } for comm="installd"
path="/system/app/PlayAutoInstallConfig" dev="mmcblk0p43" ino=112
scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0 tclass=dir

Test: policy compiles
Change-Id: I5d14ea2cd7d281f949d0651b9723d5b7fae2e1f2
---
 public/domain_deprecated.te | 32 +++++++++++++++++++++++++++++---
 public/installd.te          |  2 ++
 2 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index 6e3b671a2..226cc0f58 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -41,9 +41,35 @@ auditallow domain_deprecated device:file read;
 allow domain_deprecated system_file:dir r_dir_perms;
 allow domain_deprecated system_file:file r_file_perms;
 allow domain_deprecated system_file:lnk_file r_file_perms;
-auditallow { domain_deprecated -appdomain -init -rild -surfaceflinger -system_server -zygote } system_file:dir { open read ioctl lock }; # search getattr in domain
-auditallow { domain_deprecated -appdomain -init -rild -surfaceflinger -system_server -zygote } system_file:file { ioctl lock }; # read open getattr in domain
-auditallow { domain_deprecated -appdomain -init -rild -surfaceflinger -system_server -zygote } system_file:lnk_file { getattr open ioctl lock }; # read in domain
+auditallow {
+  domain_deprecated
+  -appdomain
+  -init
+  -installd
+  -rild
+  -surfaceflinger
+  -system_server
+  -zygote
+} system_file:dir { open read ioctl lock }; # search getattr in domain
+auditallow {
+  domain_deprecated
+  -appdomain
+  -init
+  -rild
+  -surfaceflinger
+  -system_server
+  -zygote
+} system_file:file { ioctl lock }; # read open getattr in domain
+auditallow {
+  domain_deprecated
+  -appdomain
+  -init
+  -installd
+  -rild
+  -surfaceflinger
+  -system_server
+  -zygote
+} system_file:lnk_file { getattr open ioctl lock }; # read in domain
 
 # Read files already opened under /data.
 allow domain_deprecated system_data_file:file { getattr read };
diff --git a/public/installd.te b/public/installd.te
index a544d5be7..4396ea46a 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -25,6 +25,8 @@ allow installd mnt_expand_file:dir { search getattr };
 selinux_check_context(installd)
 
 r_dir_file(installd, rootfs)
+# Scan through APKs in /system/app and /system/priv-app
+r_dir_file(installd, system_file)
 
 # Search /data/app-asec and stat files in it.
 allow installd asec_image_file:dir search;
-- 
GitLab