From 51946bc87e510a3fef6bc87dd49c4a4ce3cc532b Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 1 Jul 2013 17:08:11 -0700
Subject: [PATCH] installd: enable SELinux restrictions

This change enables SELinux security enforcement on the installd
process.

For the installd.te file only, this change is equivalent to reverting
the following commits:

    * 50e37b93ac97631dcac6961285b92af5026557af
    * 77d4731e9d30c8971e076e2469d6957619019921

No other changes were required.

Testing: As much as possible, I've tested that package installation
works, from both adb and via Android market. There were no denials
in the kernel dmesg log, and everything appears to be working correctly.

It's quite possible I've missed something. If we experience problems,
I'm happy to roll back this change.

Bug: 9662644
Change-Id: Id93d4ee7b517dfa28c9a0b1d45d936b56892ac0a
---
 installd.te | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/installd.te b/installd.te
index 4ad5513c5..428e3790d 100644
--- a/installd.te
+++ b/installd.te
@@ -1,7 +1,26 @@
 # installer daemon
 type installd, domain;
-permissive installd;
 type installd_exec, exec_type, file_type;
 
 init_daemon_domain(installd)
-unconfined_domain(installd)
+typeattribute installd mlstrustedsubject;
+allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
+allow installd system_data_file:file create_file_perms;
+allow installd system_data_file:lnk_file create;
+allow installd dalvikcache_data_file:file create_file_perms;
+allow installd data_file_type:dir create_dir_perms;
+allow installd data_file_type:dir { relabelfrom relabelto };
+allow installd data_file_type:{ file lnk_file } { getattr unlink };
+allow installd apk_data_file:file r_file_perms;
+allow installd apk_tmp_file:file r_file_perms;
+allow installd system_file:file x_file_perms;
+allow installd cgroup:dir create_dir_perms;
+dontaudit installd self:capability sys_admin;
+# Check validity of SELinux context before use.
+selinux_check_context(installd)
+# Read /seapp_contexts and /data/security/seapp_contexts
+security_access_policy(installd)
+# ASEC
+allow installd platform_app_data_file:lnk_file { create setattr };
+allow installd app_data_file:lnk_file { create setattr };
+allow installd asec_apk_file:file r_file_perms;
-- 
GitLab