diff options
| author | dcashman <dcashman@google.com> | 2014-08-06 18:09:35 -0700 |
|---|---|---|
| committer | dcashman <dcashman@google.com> | 2014-08-06 18:19:41 -0700 |
| commit | fbbe9e9117bd55c46ee971577f2fdd64993eb64a (patch) | |
| tree | 911bc3c5ff3de3b7feb976c9d30d4ff3539b86da | |
| parent | 3fe1bcbb8d2f2e17e7506d7fb0302068c9ccc915 (diff) | |
| download | sepolicy-fbbe9e9117bd55c46ee971577f2fdd64993eb64a.tar.gz | |
Allow untrusted_app access to temporary apk files.
Before actual installation, apks are put in a staging area where they are
scanned by a verifier before completing the install flow. This verifier runs as
a priv-app, which is in the untrusted_app domain. Allow untrusted_app
read-access to these files.
Bug: 16515815
Change-Id: Ifedc12a33b1f53b62f45013e7b253dbc79b02a4e
| -rw-r--r-- | untrusted_app.te | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/untrusted_app.te b/untrusted_app.te index c97b451..ea20e56 100644 --- a/untrusted_app.te +++ b/untrusted_app.te @@ -95,3 +95,7 @@ neverallow untrusted_app service_manager_type:service_manager add; neverallow untrusted_app property_socket:sock_file write; neverallow untrusted_app init:unix_stream_socket connectto; neverallow untrusted_app property_type:property_service set; + +# Allow verifier to access staged apks. +allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms; +allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
\ No newline at end of file |