platform_system_sepolicy/private/artd.te

102 lines
4.2 KiB
Text
Raw Normal View History

# ART service daemon.
typeattribute artd coredomain;
Grant artd read permissions on current profile directories. The permissions are needed for profile-guided compilation: when ART Services compiles an app, it uses the information in current profiles as one factor to determine which classes and methods to compile. Since there can be multiple current profiles, in practice, it merges the current profiles into a "reference profile" and passes that to the compiler. After the compilation is done successfully, it keeps the reference profile and deletes current profiles. This is currently done by installd (http://cs/android-internal/system/sepolicy/public/installd.te;l=125;rcl=0cbe233cdc361b0976874b2df04392d74245aade), and we'd like artd to do it. In addition, we want to make artd work in a more atomic way: If a reference profile already exists, instead of mutating it in place, artd creates a temp file next to it, works on the temp file, and replaces the original file after it's done (or deletes the temp file if it fails). Therefore, artd needs the permissions to read current profile files. It also needs to be mlstrustedsubject because current profile files seem to have MLS restrictions. Otherwise, it will get SELinux denials like: ``` 09-23 20:22:13.931 8097 8097 I binder:8097_2: type=1400 audit(0.0:164): avc: denied { search } for name="cur" dev="dm-53" ino=81 scontext=u:r:artd:s0 tcontext=u:object_r:user_profile_root_file:s0 tclass=dir permissive=1 09-23 20:22:13.931 8097 8097 I binder:8097_2: type=1400 audit(0.0:164): avc: denied { search } for name="0" dev="dm-53" ino=207 scontext=u:r:artd:s0 tcontext=u:object_r:user_profile_root_file:s0:c512,c768 tclass=dir permissive=1 ``` Note the MLS restrictions `c512,c768` in the message above. Bug: 248318911 Test: manual - 1. adb shell pm art optimize-package -m speed-profile \ com.google.android.youtube 2. See no SELinux denials like above. Change-Id: I1cb8c3ac07d3790a4d74d747707327b1d5d8ecfb
2022-09-23 23:37:59 +02:00
typeattribute artd mlstrustedsubject;
type artd_exec, system_file_type, exec_type, file_type;
type artd_tmpfs, file_type;
# Allow artd to publish a binder service and make binder calls.
binder_use(artd)
add_service(artd, artd_service)
allow artd dumpstate:fifo_file { getattr write };
init_daemon_domain(artd)
# Allow query ART device config properties
get_prop(artd, device_config_runtime_native_prop)
get_prop(artd, device_config_runtime_native_boot_prop)
# Access to "odsign.verification.success" for deciding whether to deny files in
# the ART APEX data directory.
get_prop(artd, odsign_prop)
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
# Use tmpfs_domain() which will give tmpfs files created by artd their
# own label, which differs from other labels created by other processes.
# This allows to distinguish in policy files created by artd vs other
# processes.
tmpfs_domain(artd)
# Allow testing userfaultfd support.
userfaultfd_use(artd)
# Read access to primary dex'es on writable partitions
# ({/data,/mnt/expand/<volume-uuid>}/app/...).
allow artd mnt_expand_file:dir { getattr search };
r_dir_file(artd, apk_data_file)
# Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
r_dir_file(artd, vendor_app_file)
# Read access to vendor overlay APKs ({/vendor,/odm,/oem}/overlay/...).
allow artd oemfs:dir { getattr search };
r_dir_file(artd, vendor_overlay_file)
# Read access to vendor shared libraries ({/vendor,/odm}/framework/...).
r_dir_file(artd, vendor_framework_file)
# Read/write access to all compilation artifacts generated on device for apps'
# primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
allow artd dalvikcache_data_file:dir create_dir_perms;
allow artd dalvikcache_data_file:file create_file_perms;
# Read access to the ART APEX data directory.
# Needed for reading the boot image generated on device.
allow artd apex_module_data_file:dir { getattr search };
r_dir_file(artd, apex_art_data_file)
# Read access to /apex/apex-info-list.xml
# Needed for getting APEX versions.
allow artd apex_info_file:file r_file_perms;
# Allow getting root capabilities to bypass permission checks.
# - "dac_override" and "dac_read_search" are for
# - reading secondary dex'es in app data directories (reading primary dex'es
# doesn't need root capabilities)
# - managing (CRUD) compilation artifacts in both APK directories for primary
# dex'es and in app data directories for secondary dex'es
# - managing (CRUD) profile files for both primary dex'es and secondary dex'es
# - "fowner" is for adjusting the file permissions of compilation artifacts and
# profile files based on whether they include user data or not.
# - "chown" is for transferring the ownership of compilation artifacts and
# profile files to the system or apps.
allow artd self:global_capability_class_set { dac_override dac_read_search fowner chown };
# Read/write access to profiles (/data/misc/profiles/{ref,cur}/...).
Grant artd read permissions on current profile directories. The permissions are needed for profile-guided compilation: when ART Services compiles an app, it uses the information in current profiles as one factor to determine which classes and methods to compile. Since there can be multiple current profiles, in practice, it merges the current profiles into a "reference profile" and passes that to the compiler. After the compilation is done successfully, it keeps the reference profile and deletes current profiles. This is currently done by installd (http://cs/android-internal/system/sepolicy/public/installd.te;l=125;rcl=0cbe233cdc361b0976874b2df04392d74245aade), and we'd like artd to do it. In addition, we want to make artd work in a more atomic way: If a reference profile already exists, instead of mutating it in place, artd creates a temp file next to it, works on the temp file, and replaces the original file after it's done (or deletes the temp file if it fails). Therefore, artd needs the permissions to read current profile files. It also needs to be mlstrustedsubject because current profile files seem to have MLS restrictions. Otherwise, it will get SELinux denials like: ``` 09-23 20:22:13.931 8097 8097 I binder:8097_2: type=1400 audit(0.0:164): avc: denied { search } for name="cur" dev="dm-53" ino=81 scontext=u:r:artd:s0 tcontext=u:object_r:user_profile_root_file:s0 tclass=dir permissive=1 09-23 20:22:13.931 8097 8097 I binder:8097_2: type=1400 audit(0.0:164): avc: denied { search } for name="0" dev="dm-53" ino=207 scontext=u:r:artd:s0 tcontext=u:object_r:user_profile_root_file:s0:c512,c768 tclass=dir permissive=1 ``` Note the MLS restrictions `c512,c768` in the message above. Bug: 248318911 Test: manual - 1. adb shell pm art optimize-package -m speed-profile \ com.google.android.youtube 2. See no SELinux denials like above. Change-Id: I1cb8c3ac07d3790a4d74d747707327b1d5d8ecfb
2022-09-23 23:37:59 +02:00
allow artd user_profile_root_file:dir { getattr search };
Grant artd write permissions on profile directories. The permissions are needed for profile-guided compilation: when ART Services compiles an app, it uses the information in current profiles as one factor to determine which classes and methods to compile. Since there can be multiple current profiles, in practice, it merges the current profiles into a "reference profile" and passes that to the compiler. After the compilation is done successfully, it keeps the reference profile and deletes current profiles. This is currently done by installd (http://cs/android-internal/system/sepolicy/public/installd.te;l=125;rcl=0cbe233cdc361b0976874b2df04392d74245aade), and we'd like artd to do it. In addition, we want to make artd work in a more atomic way: If a reference profile already exists, instead of mutating it in place, artd creates a temp file next to it, works on the temp file, and replaces the original file after it's done (or deletes the temp file if it fails). Therefore, artd needs the permissions to add/delete/replace profile files. Otherwise, it will get SELinux denials like: ``` 09-23 19:51:37.951 5050 5050 I binder:5050_1: type=1400 audit(0.0:134): avc: denied { write } for name="com.google.android.youtube" dev="dm-52" ino=922 scontext=u:r:artd:s0 tcontext=u:object_r:user_profile_data_file:s0 tclass=dir permissive=1 09-23 19:51:37.951 5050 5050 I binder:5050_1: type=1400 audit(0.0:134): avc: denied { add_name } for name="primary.prof.6mOsV9.tmp" scontext=u:r:artd:s0 tcontext=u:object_r:user_profile_data_file:s0 tclass=dir permissive=1 ``` Bug: 248318911 Test: manual - 1. adb shell pm art optimize-package -m speed-profile \ com.google.android.youtube 2. See no SELinux denials like above. Change-Id: Ib1a914b9a9526a85b69d27970e4b23c4e101c68a
2022-09-23 21:59:42 +02:00
allow artd user_profile_data_file:dir rw_dir_perms;
allow artd user_profile_data_file:file create_file_perms;
# Read/write access to secondary dex files, their profiles, and their
# compilation artifacts
# ({/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id>/<package-name>/...).
allow artd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
allow artd app_data_file_type:file { create_file_perms relabelfrom relabelto };
# Never allow running other binaries without a domain transition.
# The only exception is art_exec. It is allowed to use the artd domain because
# it is a thin wrapper that executes other binaries on behalf of artd.
neverallow artd ~{art_exec_exec}:file execute_no_trans;
allow artd art_exec_exec:file rx_file_perms;
# Allow running other binaries in their own domains.
domain_auto_trans(artd, profman_exec, profman)
domain_auto_trans(artd, dex2oat_exec, dex2oat)
# Allow sending sigkill to subprocesses.
allow artd { profman dex2oat }:process sigkill;
# Allow reading process info (/proc/<pid>/...).
# This is needed for getting CPU time and wall time spent on subprocesses.
r_dir_file(artd, profman);
r_dir_file(artd, dex2oat);