platform_system_sepolicy/private/viewcompiler.te

# viewcompiler
type viewcompiler, domain, coredomain, mlstrustedsubject;
type viewcompiler_exec, system_file_type, exec_type, file_type;
type viewcompiler_tmpfs, file_type;

# Reading an APK opens a ZipArchive, which unpack to tmpfs.
# Use tmpfs_domain() which will give tmpfs files created by viewcompiler their
# own label, which differs from other labels created by other processes.
# This allows to distinguish in policy files created by viewcompiler vs other
# processes.
tmpfs_domain(viewcompiler)

allow viewcompiler installd:fd use;

# Include write permission for app data files so viewcompiler can generate
# compiled layout dex files
allow viewcompiler app_data_file:file { getattr write };

# Allow the view compiler to read resources from the apps APK.
allow viewcompiler apk_data_file:file { read map };

# priv-apps are moving to a world where they can only execute
# signed code. Make sure viewcompiler never can write to privapp
# directories to avoid introducing unsigned executable code
neverallow viewcompiler privapp_data_file:file no_w_file_perms;
[layout compilation] Modify sepolicy to allow installd to run viewcompiler We will generate precompiled layouts as part of the package install or upgrade process. This means installd needs to be able to invoke viewcompiler. This change gives installd and viewcompiler the minimal set of permissions needed for this to work. Bug: 111895153 Test: manual Change-Id: Ic1fe60bd264c497b5f79d9e1d77c2da4e092377b 2019-01-11 17:13:01 +01:00			`# viewcompiler`
			`type viewcompiler, domain, coredomain, mlstrustedsubject;`
			`type viewcompiler_exec, system_file_type, exec_type, file_type;`
Properly Treble-ize tmpfs access This is being done in preparation for the migration from ashmem to memfd. In order for tmpfs objects to be usable across the Treble boundary, they need to be declared in public policy whereas, they're currently all declared in private policy as part of the tmpfs_domain() macro. Remove the type declaration from the macro, and remove tmpfs_domain() from the init_daemon_domain() macro to avoid having to declare the *_tmpfs types for all init launched domains. tmpfs is mostly used by apps and the media frameworks. Bug: 122854450 Test: Boot Taimen and blueline. Watch videos, make phone calls, browse internet, send text, install angry birds...play angry birds, keep playing angry birds... Change-Id: I20a47d2bb22e61b16187015c7bc7ca10accf6358 Merged-In: I20a47d2bb22e61b16187015c7bc7ca10accf6358 (cherry picked from commit e16fb9109c678f47aa7698605477d9a6baf398fb) 2019-01-24 00:07:40 +01:00			`type viewcompiler_tmpfs, file_type;`
[layout compilation] Modify sepolicy to allow installd to run viewcompiler We will generate precompiled layouts as part of the package install or upgrade process. This means installd needs to be able to invoke viewcompiler. This change gives installd and viewcompiler the minimal set of permissions needed for this to work. Bug: 111895153 Test: manual Change-Id: Ic1fe60bd264c497b5f79d9e1d77c2da4e092377b 2019-01-11 17:13:01 +01:00
			`# Reading an APK opens a ZipArchive, which unpack to tmpfs.`
			`# Use tmpfs_domain() which will give tmpfs files created by viewcompiler their`
			`# own label, which differs from other labels created by other processes.`
			`# This allows to distinguish in policy files created by viewcompiler vs other`
			`# processes.`
			`tmpfs_domain(viewcompiler)`

			`allow viewcompiler installd:fd use;`

			`# Include write permission for app data files so viewcompiler can generate`
			`# compiled layout dex files`
			`allow viewcompiler app_data_file:file { getattr write };`

			`# Allow the view compiler to read resources from the apps APK.`
Give map permission to viewcompiler On cuttlefish devices, the resource loading code apparently maps the file rather than just reading it. Denial log: viewcompiler: type=1400 audit(0.0:308): avc: denied { map } for path="/data/app/android.startop.test-Z2JxVhtKPw2wx4o-nmo5NA==/base.apk" dev="vdb" ino=139269 scontext=u:r:viewcompiler:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0 app=android.startop.test Bug: 139018973 Change-Id: I4bbbc44abc3c4315137f76a0be737236cf10f4ef 2019-08-16 00:15:30 +02:00			`allow viewcompiler apk_data_file:file { read map };`
[layout compilation] Modify sepolicy to allow installd to run viewcompiler We will generate precompiled layouts as part of the package install or upgrade process. This means installd needs to be able to invoke viewcompiler. This change gives installd and viewcompiler the minimal set of permissions needed for this to work. Bug: 111895153 Test: manual Change-Id: Ic1fe60bd264c497b5f79d9e1d77c2da4e092377b 2019-01-11 17:13:01 +01:00
			`# priv-apps are moving to a world where they can only execute`
			`# signed code. Make sure viewcompiler never can write to privapp`
			`# directories to avoid introducing unsigned executable code`
			`neverallow viewcompiler privapp_data_file:file no_w_file_perms;`