Merge "Allow installd to delete files via sdcardfs." into oc-dev

c659e37c · Jeff Sharkey · Android (Google) Code Review · 0181f5f1 · 72f4c619 · c659e37c
Commit c659e37c authored 7 years ago by Jeff Sharkey Committed by Android (Google) Code Review 7 years ago
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
 # rules removed from the domain attribute

 # Search /storage/emulated tmpfs mount.
-allow domain_deprecated tmpfs:dir r_dir_perms;
+allow { domain_deprecated -installd } tmpfs:dir r_dir_perms;
 userdebug_or_eng(`
 auditallow {
  domain_deprecated
  -appdomain
+  -installd
  -sdcardd
  -surfaceflinger
  -system_server

--- a/public/installd.te
+++ b/public/installd.te
@@ -54,6 +54,12 @@ allow installd media_rw_data_file:file { getattr unlink };
 allow installd system_data_file:dir relabelfrom;
 allow installd media_rw_data_file:dir relabelto;

+# Delete /data/media files through sdcardfs, instead of going behind its back
+allow installd tmpfs:dir r_dir_perms;
+allow installd storage_file:dir search;
+allow installd sdcardfs:dir { search open read write remove_name getattr rmdir };
+allow installd sdcardfs:file { getattr unlink };
+
 # Upgrade /data/misc/keychain for multi-user if necessary.
 allow installd misc_user_data_file:dir create_dir_perms;
 allow installd misc_user_data_file:file create_file_perms;