Rules to allow installing package directories.

Earlier changes had extended the rules, but some additional changes are needed. avc: denied { relabelfrom } for name="vmdl-723825123.tmp" dev="mmcblk0p28" ino=162910 scontext=u:r:system_server:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir Bug: 14975160 Change-Id: Ia644c73ec10460a2a529fe197ade6afe46694651

Rules to allow installing package directories.
c02c98d3 · Jeff Sharkey · 0c9a873a · c02c98d3 · c02c98d3
Commit c02c98d3 authored 10 years ago by Jeff Sharkey
--- a/file_contexts
+++ b/file_contexts
@@ -179,10 +179,10 @@
 /data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
 /data/dalvik-cache/profiles(/.*)? u:object_r:dalvikcache_profiles_data_file:s0
 /data/anr(/.*)?		u:object_r:anr_data_file:s0
-/data/app(/.*)?		u:object_r:apk_data_file:s0
+/data/app(/.*)?                       u:object_r:apk_data_file:s0
-/data/app/vmdl.*\.tmp	u:object_r:apk_tmp_file:s0
+/data/app/vmdl.*\.tmp(/.*)?           u:object_r:apk_tmp_file:s0
-/data/app-private(/.*)?		u:object_r:apk_private_data_file:s0
+/data/app-private(/.*)?               u:object_r:apk_private_data_file:s0
-/data/app-private/vmdl.*\.tmp	u:object_r:apk_private_tmp_file:s0
+/data/app-private/vmdl.*\.tmp(/.*)?   u:object_r:apk_private_tmp_file:s0
 /data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
 /data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
 /data/media(/.*)?	u:object_r:media_rw_data_file:s0
@@ -236,7 +236,7 @@
 #############################
 # asec containers
-/mnt/asec(/.*)?           u:object_r:asec_apk_file:s0
+/mnt/asec(/.*)?             u:object_r:asec_apk_file:s0
-/mnt/asec/[^/]+/res\.zip   u:object_r:asec_public_file:s0
+/mnt/asec/[^/]+/[^/]+\.zip  u:object_r:asec_public_file:s0
-/mnt/asec/[^/]+/lib(/.*)? u:object_r:asec_public_file:s0
+/mnt/asec/[^/]+/lib(/.*)?   u:object_r:asec_public_file:s0
-/data/app-asec(/.*)?      u:object_r:asec_image_file:s0
+/data/app-asec(/.*)?        u:object_r:asec_image_file:s0
--- a/system_server.te
+++ b/system_server.te
@@ -171,11 +171,13 @@ allow system_server system_data_file:notdevfile_class_set create_file_perms;
 # Manage /data/app.
 allow system_server apk_data_file:dir create_dir_perms;
 allow system_server apk_data_file:file create_file_perms;
+allow system_server apk_tmp_file:dir create_dir_perms;
 allow system_server apk_tmp_file:file create_file_perms;
 # Manage /data/app-private.
 allow system_server apk_private_data_file:dir create_dir_perms;
 allow system_server apk_private_data_file:file create_file_perms;
+allow system_server apk_private_tmp_file:dir create_dir_perms;
 allow system_server apk_private_tmp_file:file create_file_perms;
 # Manage files within asec containers.
@@ -252,8 +254,8 @@ allow system_server media_rw_data_file:file { getattr read write };
 security_access_policy(system_server)
 # Relabel apk files.
-allow system_server { apk_tmp_file apk_private_tmp_file }:file { relabelfrom relabelto };
+allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
-allow system_server { apk_data_file apk_private_data_file }:file { relabelfrom relabelto };
+allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
 # Relabel wallpaper.
 allow system_server system_data_file:file relabelfrom;