2022-07-19 22:29:31 +02:00
|
|
|
# ART service daemon.
|
|
|
|
|
typeattribute artd coredomain;
|
Grant artd read permissions on current profile directories.
The permissions are needed for profile-guided compilation: when ART
Services compiles an app, it uses the information in current profiles as
one factor to determine which classes and methods to compile.
Since there can be multiple current profiles, in practice, it merges
the current profiles into a "reference profile" and passes that to the
compiler. After the compilation is done successfully, it keeps the
reference profile and deletes current profiles.
This is currently done by installd
(http://cs/android-internal/system/sepolicy/public/installd.te;l=125;rcl=0cbe233cdc361b0976874b2df04392d74245aade),
and we'd like artd to do it.
In addition, we want to make artd work in a more atomic way: If a
reference profile already exists, instead of mutating it in place,
artd creates a temp file next to it, works on the temp file, and
replaces the original file after it's done (or deletes the temp file
if it fails).
Therefore, artd needs the permissions to read current profile files.
It also needs to be mlstrustedsubject because current profile files
seem to have MLS restrictions.
Otherwise, it will get SELinux denials like:
```
09-23 20:22:13.931 8097 8097 I binder:8097_2: type=1400 audit(0.0:164): avc: denied { search } for name="cur" dev="dm-53" ino=81 scontext=u:r:artd:s0 tcontext=u:object_r:user_profile_root_file:s0 tclass=dir permissive=1
09-23 20:22:13.931 8097 8097 I binder:8097_2: type=1400 audit(0.0:164): avc: denied { search } for name="0" dev="dm-53" ino=207 scontext=u:r:artd:s0 tcontext=u:object_r:user_profile_root_file:s0:c512,c768 tclass=dir permissive=1
```
Note the MLS restrictions `c512,c768` in the message above.
Bug: 248318911
Test: manual -
1. adb shell pm art optimize-package -m speed-profile \
com.google.android.youtube
2. See no SELinux denials like above.
Change-Id: I1cb8c3ac07d3790a4d74d747707327b1d5d8ecfb
2022-09-23 23:37:59 +02:00
|
|
|
typeattribute artd mlstrustedsubject;
|
2021-03-03 21:30:28 +01:00
|
|
|
type artd_exec, system_file_type, exec_type, file_type;
|
2022-05-26 14:55:33 +02:00
|
|
|
type artd_tmpfs, file_type;
|
2021-03-03 21:30:28 +01:00
|
|
|
|
|
|
|
|
# Allow artd to publish a binder service and make binder calls.
|
|
|
|
|
binder_use(artd)
|
|
|
|
|
add_service(artd, artd_service)
|
2023-08-24 02:37:17 +02:00
|
|
|
allow artd dumpstate:fifo_file { getattr write };
|
|
|
|
|
allow artd dumpstate:fd use;
|
2021-03-03 21:30:28 +01:00
|
|
|
|
|
|
|
|
init_daemon_domain(artd)
|
2021-05-19 00:33:08 +02:00
|
|
|
|
|
|
|
|
# Allow query ART device config properties
|
|
|
|
|
get_prop(artd, device_config_runtime_native_prop)
|
|
|
|
|
get_prop(artd, device_config_runtime_native_boot_prop)
|
2022-05-26 14:55:33 +02:00
|
|
|
|
|
|
|
|
# Access to "odsign.verification.success" for deciding whether to deny files in
|
|
|
|
|
# the ART APEX data directory.
|
|
|
|
|
get_prop(artd, odsign_prop)
|
|
|
|
|
|
|
|
|
|
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
|
|
|
|
|
# Use tmpfs_domain() which will give tmpfs files created by artd their
|
|
|
|
|
# own label, which differs from other labels created by other processes.
|
|
|
|
|
# This allows to distinguish in policy files created by artd vs other
|
|
|
|
|
# processes.
|
|
|
|
|
tmpfs_domain(artd)
|
|
|
|
|
|
|
|
|
|
# Allow testing userfaultfd support.
|
|
|
|
|
userfaultfd_use(artd)
|
|
|
|
|
|
2022-12-12 15:28:40 +01:00
|
|
|
# Read access to primary dex'es on writable partitions
|
|
|
|
|
# ({/data,/mnt/expand/<volume-uuid>}/app/...).
|
2023-01-17 09:57:03 +01:00
|
|
|
# Also allow creating the "oat" directory before restorecon.
|
2022-12-12 15:28:40 +01:00
|
|
|
allow artd mnt_expand_file:dir { getattr search };
|
2023-01-17 09:57:03 +01:00
|
|
|
allow artd apk_data_file:dir { rw_dir_perms create setattr relabelfrom };
|
|
|
|
|
allow artd apk_data_file:file r_file_perms;
|
2022-05-26 14:55:33 +02:00
|
|
|
|
2022-12-12 15:28:40 +01:00
|
|
|
# Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
|
2022-05-26 14:55:33 +02:00
|
|
|
r_dir_file(artd, vendor_app_file)
|
|
|
|
|
|
2023-06-09 06:26:54 +02:00
|
|
|
# Read access to vendor overlay APKs ({/vendor,/odm,/oem,/apex/*}/overlay/...).
|
2022-12-12 15:28:40 +01:00
|
|
|
allow artd oemfs:dir { getattr search };
|
|
|
|
|
r_dir_file(artd, vendor_overlay_file)
|
2023-06-09 06:26:54 +02:00
|
|
|
# Vendor overlay can be found in vendor apex
|
|
|
|
|
allow artd vendor_apex_metadata_file:dir { getattr search };
|
2022-12-12 15:28:40 +01:00
|
|
|
|
|
|
|
|
# Read access to vendor shared libraries ({/vendor,/odm}/framework/...).
|
|
|
|
|
r_dir_file(artd, vendor_framework_file)
|
|
|
|
|
|
2022-06-07 16:20:58 +02:00
|
|
|
# Read/write access to all compilation artifacts generated on device for apps'
|
|
|
|
|
# primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
|
2023-01-17 09:57:03 +01:00
|
|
|
allow artd dalvikcache_data_file:dir { create_dir_perms relabelto };
|
|
|
|
|
allow artd dalvikcache_data_file:file { create_file_perms relabelto };
|
2022-05-26 14:55:33 +02:00
|
|
|
|
|
|
|
|
# Read access to the ART APEX data directory.
|
|
|
|
|
# Needed for reading the boot image generated on device.
|
|
|
|
|
allow artd apex_module_data_file:dir { getattr search };
|
|
|
|
|
r_dir_file(artd, apex_art_data_file)
|
|
|
|
|
|
|
|
|
|
# Read access to /apex/apex-info-list.xml
|
|
|
|
|
# Needed for getting APEX versions.
|
|
|
|
|
allow artd apex_info_file:file r_file_perms;
|
2022-06-07 16:20:58 +02:00
|
|
|
|
|
|
|
|
# Allow getting root capabilities to bypass permission checks.
|
|
|
|
|
# - "dac_override" and "dac_read_search" are for
|
|
|
|
|
# - reading secondary dex'es in app data directories (reading primary dex'es
|
|
|
|
|
# doesn't need root capabilities)
|
|
|
|
|
# - managing (CRUD) compilation artifacts in both APK directories for primary
|
|
|
|
|
# dex'es and in app data directories for secondary dex'es
|
|
|
|
|
# - managing (CRUD) profile files for both primary dex'es and secondary dex'es
|
|
|
|
|
# - "fowner" is for adjusting the file permissions of compilation artifacts and
|
|
|
|
|
# profile files based on whether they include user data or not.
|
2022-07-19 22:29:31 +02:00
|
|
|
# - "chown" is for transferring the ownership of compilation artifacts and
|
|
|
|
|
# profile files to the system or apps.
|
|
|
|
|
allow artd self:global_capability_class_set { dac_override dac_read_search fowner chown };
|
|
|
|
|
|
2022-12-23 17:24:14 +01:00
|
|
|
# Read/write access to profiles (/data/misc/profiles/{ref,cur}/...). Also allow
|
|
|
|
|
# scanning /data/misc/profiles/cur, for cleaning up obsolete managed files.
|
|
|
|
|
allow artd user_profile_root_file:dir r_dir_perms;
|
Grant artd write permissions on profile directories.
The permissions are needed for profile-guided compilation: when ART
Services compiles an app, it uses the information in current profiles as
one factor to determine which classes and methods to compile.
Since there can be multiple current profiles, in practice, it merges
the current profiles into a "reference profile" and passes that to the
compiler. After the compilation is done successfully, it keeps the
reference profile and deletes current profiles.
This is currently done by installd
(http://cs/android-internal/system/sepolicy/public/installd.te;l=125;rcl=0cbe233cdc361b0976874b2df04392d74245aade),
and we'd like artd to do it.
In addition, we want to make artd work in a more atomic way: If a
reference profile already exists, instead of mutating it in place,
artd creates a temp file next to it, works on the temp file, and
replaces the original file after it's done (or deletes the temp file
if it fails).
Therefore, artd needs the permissions to add/delete/replace profile
files. Otherwise, it will get SELinux denials like:
```
09-23 19:51:37.951 5050 5050 I binder:5050_1: type=1400 audit(0.0:134): avc: denied { write } for name="com.google.android.youtube" dev="dm-52" ino=922 scontext=u:r:artd:s0 tcontext=u:object_r:user_profile_data_file:s0 tclass=dir permissive=1
09-23 19:51:37.951 5050 5050 I binder:5050_1: type=1400 audit(0.0:134): avc: denied { add_name } for name="primary.prof.6mOsV9.tmp" scontext=u:r:artd:s0 tcontext=u:object_r:user_profile_data_file:s0 tclass=dir permissive=1
```
Bug: 248318911
Test: manual -
1. adb shell pm art optimize-package -m speed-profile \
com.google.android.youtube
2. See no SELinux denials like above.
Change-Id: Ib1a914b9a9526a85b69d27970e4b23c4e101c68a
2022-09-23 21:59:42 +02:00
|
|
|
allow artd user_profile_data_file:dir rw_dir_perms;
|
2022-07-19 22:29:31 +02:00
|
|
|
allow artd user_profile_data_file:file create_file_perms;
|
|
|
|
|
|
2022-10-21 18:03:56 +02:00
|
|
|
# Read/write access to secondary dex files, their profiles, and their
|
|
|
|
|
# compilation artifacts
|
|
|
|
|
# ({/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id>/<package-name>/...).
|
|
|
|
|
allow artd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
|
|
|
|
|
allow artd app_data_file_type:file { create_file_perms relabelfrom relabelto };
|
|
|
|
|
|
2022-12-12 15:34:50 +01:00
|
|
|
# Allow symlinks for secondary dex files. This has be to restricted because
|
|
|
|
|
# symlinks can cause various security issues. We allow "privapp_data_file" just
|
|
|
|
|
# for GMS because so far we only see GMS using symlinks.
|
|
|
|
|
allow artd privapp_data_file:lnk_file { getattr read };
|
|
|
|
|
|
2022-12-12 14:45:13 +01:00
|
|
|
# Read access to SELinux context files, for restorecon.
|
|
|
|
|
allow artd file_contexts_file:file r_file_perms;
|
|
|
|
|
allow artd seapp_contexts_file:file r_file_perms;
|
|
|
|
|
|
|
|
|
|
# Check validity of SELinux context, for restorecon.
|
|
|
|
|
selinux_check_context(artd)
|
|
|
|
|
|
2022-12-23 17:24:14 +01:00
|
|
|
# Allow scanning /, for cleaning up obsolete managed files.
|
|
|
|
|
allow artd rootfs:dir r_dir_perms;
|
|
|
|
|
|
|
|
|
|
# Allow scanning /data, for cleaning up obsolete managed files.
|
|
|
|
|
allow artd system_data_root_file:dir r_dir_perms;
|
|
|
|
|
|
|
|
|
|
# Allow scanning /mnt, for cleaning up obsolete managed files.
|
|
|
|
|
allow artd tmpfs:dir r_dir_perms;
|
|
|
|
|
|
|
|
|
|
# Allow scanning /mnt/expand, for cleaning up obsolete managed files.
|
|
|
|
|
allow artd mnt_expand_file:dir r_dir_perms;
|
|
|
|
|
|
|
|
|
|
# Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}, for cleaning
|
|
|
|
|
# up obsolete managed files.
|
|
|
|
|
allow artd system_userdir_file:dir r_dir_perms;
|
|
|
|
|
|
|
|
|
|
# Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id> and
|
|
|
|
|
# /mnt/expand/<volume-uuid>, for cleaning up obsolete managed files.
|
|
|
|
|
allow artd system_data_file:dir r_dir_perms;
|
|
|
|
|
|
2022-07-19 22:29:31 +02:00
|
|
|
# Never allow running other binaries without a domain transition.
|
|
|
|
|
# The only exception is art_exec. It is allowed to use the artd domain because
|
|
|
|
|
# it is a thin wrapper that executes other binaries on behalf of artd.
|
|
|
|
|
neverallow artd ~{art_exec_exec}:file execute_no_trans;
|
|
|
|
|
allow artd art_exec_exec:file rx_file_perms;
|
|
|
|
|
|
|
|
|
|
# Allow running other binaries in their own domains.
|
|
|
|
|
domain_auto_trans(artd, profman_exec, profman)
|
|
|
|
|
domain_auto_trans(artd, dex2oat_exec, dex2oat)
|
|
|
|
|
|
|
|
|
|
# Allow sending sigkill to subprocesses.
|
|
|
|
|
allow artd { profman dex2oat }:process sigkill;
|
2022-09-08 00:52:09 +02:00
|
|
|
|
|
|
|
|
# Allow reading process info (/proc/<pid>/...).
|
|
|
|
|
# This is needed for getting CPU time and wall time spent on subprocesses.
|
|
|
|
|
r_dir_file(artd, profman);
|
|
|
|
|
r_dir_file(artd, dex2oat);
|
2023-10-13 20:26:56 +02:00
|
|
|
|
|
|
|
|
# Allow artd to reopen its own memfd.
|
|
|
|
|
# artd needs to reopen a memfd with readonly in order to pass it to subprocesses
|
|
|
|
|
# that don't have write permissions on memfds.
|
|
|
|
|
allow artd artd_tmpfs:file open;
|
