Allow installd to get/set filesystem quotas.

To support upcoming disk usage calculation optimizations, this change grants installd access to work with filesystem quotas. avc: denied { search } for name="block" dev="tmpfs" ino=15279 scontext=u:r:installd:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=0 avc: denied { sys_admin } for capability=21 scontext=u:r:installd:s0 tcontext=u:r:installd:s0 tclass=capability permissive=1 avc: denied { quotaget } for scontext=u:r:installd:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=1 Test: builds Bug: 27948817 Change-Id: Ic166e8ced30e15ce84223576729888a824037691

Allow installd to get/set filesystem quotas.
fe1de046 · Jeff Sharkey · 62f0b8ea · fe1de046
Commit fe1de046 authored 8 years ago by Jeff Sharkey
--- a/public/installd.te
+++ b/public/installd.te
@@ -2,7 +2,7 @@
 type installd, domain, domain_deprecated;
 type installd_exec, exec_type, file_type;
 typeattribute installd mlstrustedsubject;
-allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
+allow installd self:capability { chown dac_override fowner fsetid setgid setuid sys_admin };
 # Allow labeling of files under /data/app/com.example/oat/
 allow installd dalvikcache_data_file:dir relabelto;
@@ -127,6 +127,10 @@ allow installd dumpstate:fifo_file  { getattr write };
 binder_call(installd, system_server)
 allow installd permission_service:service_manager find;
+# Allow installd to read and write quotas
+allow installd block_device:dir { search };
+allow installd labeledfs:filesystem { quotaget quotamod };
 ###
 ### Neverallow rules
 ###