From fe1de046261a6da4e04b8b9bce6c0a1ae7653d58 Mon Sep 17 00:00:00 2001
From: Jeff Sharkey <jsharkey@android.com>
Date: Thu, 15 Dec 2016 12:51:00 -0700
Subject: [PATCH] Allow installd to get/set filesystem quotas.

To support upcoming disk usage calculation optimizations, this change
grants installd access to work with filesystem quotas.

avc: denied { search } for name="block" dev="tmpfs" ino=15279 scontext=u:r:installd:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=0
avc: denied { sys_admin } for capability=21 scontext=u:r:installd:s0 tcontext=u:r:installd:s0 tclass=capability permissive=1
avc: denied { quotaget } for scontext=u:r:installd:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=1

Test: builds
Bug: 27948817
Change-Id: Ic166e8ced30e15ce84223576729888a824037691
---
 public/installd.te | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/public/installd.te b/public/installd.te
index d2bb5c69f..246fffa9e 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -2,7 +2,7 @@
 type installd, domain, domain_deprecated;
 type installd_exec, exec_type, file_type;
 typeattribute installd mlstrustedsubject;
-allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
+allow installd self:capability { chown dac_override fowner fsetid setgid setuid sys_admin };
 
 # Allow labeling of files under /data/app/com.example/oat/
 allow installd dalvikcache_data_file:dir relabelto;
@@ -127,6 +127,10 @@ allow installd dumpstate:fifo_file  { getattr write };
 binder_call(installd, system_server)
 allow installd permission_service:service_manager find;
 
+# Allow installd to read and write quotas
+allow installd block_device:dir { search };
+allow installd labeledfs:filesystem { quotaget quotamod };
+
 ###
 ### Neverallow rules
 ###
-- 
GitLab