Merge "Allow installd to delete files via sdcardfs." into oc-dev

am: c659e37c Change-Id: I4d1285c41c77b9e828753b628cfdc76d3e2a3dd9

Merge "Allow installd to delete files via sdcardfs." into oc-dev
c780facd · Jeff Sharkey · android-build-merger · 3ab87927 · c659e37c · c780facd
Commit c780facd authored 7 years ago by Jeff Sharkey Committed by android-build-merger 7 years ago
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
 # rules removed from the domain attribute

 # Search /storage/emulated tmpfs mount.
-allow domain_deprecated tmpfs:dir r_dir_perms;
+allow { domain_deprecated -installd } tmpfs:dir r_dir_perms;
 userdebug_or_eng(`
 auditallow {
  domain_deprecated
  -appdomain
+  -installd
  -sdcardd
  -surfaceflinger
  -system_server

--- a/public/installd.te
+++ b/public/installd.te
@@ -54,6 +54,12 @@ allow installd media_rw_data_file:file { getattr unlink };
 allow installd system_data_file:dir relabelfrom;
 allow installd media_rw_data_file:dir relabelto;

+# Delete /data/media files through sdcardfs, instead of going behind its back
+allow installd tmpfs:dir r_dir_perms;
+allow installd storage_file:dir search;
+allow installd sdcardfs:dir { search open read write remove_name getattr rmdir };
+allow installd sdcardfs:file { getattr unlink };
+
 # Upgrade /data/misc/keychain for multi-user if necessary.
 allow installd misc_user_data_file:dir create_dir_perms;
 allow installd misc_user_data_file:file create_file_perms;