commit cf2694bf863fc31ac5862b92bb9258136de57932
author Marie Matheson <mmatheson@google.com> Thu Nov 30 19:37:43 2023 +0000
committer Marie Matheson <mmatheson@google.com> Tue Dec 05 15:17:19 2023 +0000
tree c8b8ab6df82cc18fa357d5c5d9938fa4f700c6b2
parent 11f4cc754dbca2acd644dae917369ee715a30313

Allow isolated to read staged apks

type=1400 audit(0.0:835): avc: denied { read }
for path="/data/app/vmdl1923101285.tmp/base.apk"
dev="dm-37" ino=29684
scontext=u:r:isolated_app:s0:c512,c768
tcontext=u:object_r:apk_tmp_file:s0 tclass=file
permissive=0

Bug: 308775782
Test: Flashed to device with and without this change, confirmed that this
change allows an isolated process to read already opened staged apk file

Change-Id: I7226bae79344c3b2a5a0f59940dde6d64a8a7ea1

private/isolated_app_all.te

diff --git a/private/isolated_app_all.te b/private/isolated_app_all.te
index 189d064..1ffcabe 100644
--- a/private/isolated_app_all.te
+++ b/private/isolated_app_all.te
@@ -32,6 +32,9 @@
 # suppress denials to /data/local/tmp
 dontaudit isolated_app_all shell_data_file:dir search;
 
+# Allow to read (but not open) staged apks.
+allow isolated_app_all { apk_tmp_file apk_private_tmp_file }:file { read getattr };
+
 #####
 ##### Neverallow
 #####

public/app.te

diff --git a/public/app.te b/public/app.te
index a45149f..b539913 100644
--- a/public/app.te
+++ b/public/app.te
@@ -110,9 +110,6 @@
     apk_data_file:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };
 neverallow { appdomain -platform_app }
-    apk_tmp_file:dir_file_class_set
-    { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
     apk_private_data_file:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };
 neverallow { appdomain -platform_app }
@@ -139,11 +136,15 @@
     { create write setattr relabelfrom relabelto append unlink link rename };
 
 # access tmp apk files
-neverallow { appdomain -untrusted_app_all -platform_app -priv_app }
+neverallow { appdomain -platform_app }
+    apk_tmp_file:dir_file_class_set
+    { create write setattr relabelfrom relabelto append unlink link rename };
+
+neverallow { appdomain -untrusted_app_all -platform_app -priv_app -isolated_app_all }
     { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;
 
-neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
-neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };
+neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
+neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };
 
 # Access to factory files.
 neverallow appdomain efs_file:dir_file_class_set write;