From 9702e49307aa738508bb0949bac3000fe9ec5a0d Mon Sep 17 00:00:00 2001 From: "jaejyn.shin" Date: Tue, 24 Dec 2013 08:59:53 +0900 Subject: DO NOT MERGE: Adding permissions needed to remove cache During removing cache data using Zipper application, I found violation logs. avc: denied { write } for pid=198 comm="installd" name="cache" dev="mmcblk0p29" ino=81680 scontext=u:r:installd:s0 tcontext=u:object_r:download_file:s0 tclass=dir avc: denied { remove_name } for pid=198 comm="installd" name="downloadfile.apk" dev="mmcblk0p29" ino=82247 scontext=u:r:installd:s0 tcontext=u:object_r:download_file:s0 tclass=dir avc: denied { unlink } for pid=198 comm="installd" name="downloadfile.apk" dev="mmcblk0p29" ino=82247 scontext=u:r:installd:s0 tcontext=u:object_r:download_file:s0 tclass=file Reproduction path is like below 1. Downloading Zipper application from Google Play (I used Zipper 1.9.9.2) 2. Clicking option and clicking "removing cache" button 3. Select "yes" 4. Violation show up (cherry picked from commit 9cc6d8d581b6094b36c59a0e95d674cb193916e8) Bug: 13450421 Change-Id: I487ccd1d8d58bf2c590af39a7b1eb448c113670e --- installd.te | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/installd.te b/installd.te index 85ba69f..7c72158 100644 --- a/installd.te +++ b/installd.te @@ -16,8 +16,8 @@ allow installd apk_data_file:file r_file_perms; allow installd apk_tmp_file:file r_file_perms; allow installd system_file:file x_file_perms; allow installd cgroup:dir create_dir_perms; -allow installd download_file:dir { r_dir_perms }; -allow installd download_file:file { r_file_perms }; +allow installd download_file:dir { r_dir_perms write remove_name }; +allow installd download_file:file { r_file_perms unlink }; dontaudit installd self:capability sys_admin; # Check validity of SELinux context before use. selinux_check_context(installd) -- cgit v1.2.3