Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 2679d8e3a3504891fcb9525b9aaf5276061414a1^! / . / private / priv_app.te
commit2679d8e3a3504891fcb9525b9aaf5276061414a1[log] [tgz]
authorSongchun Fan <schfan@google.com>Tue Mar 17 18:30:34 2020 -0700
committerSongchun Fan <schfan@google.com>Thu Mar 19 16:31:52 2020 -0700
tree768e1576b70c72da7a16c7fb3779b67f9f2cf3b8
parent19a5cc2bab59a4eea424ab38a6f1aa67b65860f1 [diff] [blame]
[selinux] permissions on new ioctls for filling blocks

(Cherry-picking)

Denial messages:

03-17 20:30:54.274  1445  1445 I PackageInstalle: type=1400 audit(0.0:6): avc: denied { ioctl } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313134353234353836342F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 ioctlcmd=0x6721 scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1

03-17 20:30:54.274  1445  1445 I PackageInstalle: type=1400 audit(0.0:7): avc: denied { ioctl } for path="/data/incremental/MT_data_incremental_tmp_1145245864/mount/.index/2b300000000000000000000000000000" dev="incremental-fs" ino=6794 ioctlcmd=0x6720 scontext=u:r:system_server:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1

03-17 20:49:11.797 16182 16182 I Binder:16182_6: type=1400 audit(0.0:13): avc: denied { ioctl } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F3537383539353635322F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 ioctlcmd=0x6721 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 app=com.android.vending

03-17 20:49:11.797 16182 16182 I Binder:16182_6: type=1400 audit(0.0:14): avc: denied { ioctl } for path="/data/incremental/MT_data_incremental_tmp_578595652/mount/.index/626173652e61706b0000000000000000" dev="incremental-fs" ino=5810 ioctlcmd=0x6720 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 app=com.android.vending

Test: manual
BUG: 150809360
Merged-In: If43fa9edad0848a59c0712b124adfcdbbd0c99a4
Change-Id: I10e95caba43e1e1c272b59b7191b36b1cff4ff67

diff --git a/private/priv_app.te b/private/priv_app.te
index dd4d5c7..db28bec 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te

@@ -147,11 +147,15 @@
         connect getattr read recvfrom sendto write getopt setopt };
 
 # allow apps like Phonesky to check the file signature of an apk installed on
-# the Incremental File System
-allowxperm priv_app apk_data_file:file ioctl INCFS_IOCTL_READ_SIGNATURE;
+# the Incremental File System, and fill missing blocks in the apk
+allowxperm priv_app apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS };
 
 # allow privileged data loader apps (e.g. com.android.vending) to read logs from Incremental File System
-allow priv_app incremental_control_file:file { read getattr };
+allow priv_app incremental_control_file:file { read getattr ioctl };
+
+# allow apps like Phonesky to request permission to fill blocks of an apk file
+# on the Incremental File System.
+allowxperm priv_app incremental_control_file:file ioctl INCFS_IOCTL_PERMIT_FILL;
 
 ###
 ### neverallow rules