platform_system_sepolicy/private/artd.te

# art service daemon
type artd, domain, coredomain;
type artd_exec, system_file_type, exec_type, file_type;
type artd_tmpfs, file_type;

# Allow artd to publish a binder service and make binder calls.
binder_use(artd)
add_service(artd, artd_service)
allow artd dumpstate:fifo_file  { getattr write };

init_daemon_domain(artd)

# Allow query ART device config properties
get_prop(artd, device_config_runtime_native_prop)
get_prop(artd, device_config_runtime_native_boot_prop)

# Access to "odsign.verification.success" for deciding whether to deny files in
# the ART APEX data directory.
get_prop(artd, odsign_prop)

# Reading an APK opens a ZipArchive, which unpack to tmpfs.
# Use tmpfs_domain() which will give tmpfs files created by artd their
# own label, which differs from other labels created by other processes.
# This allows to distinguish in policy files created by artd vs other
# processes.
tmpfs_domain(artd)

# Allow testing userfaultfd support.
userfaultfd_use(artd)

# Read access to primary dex'es on writable partitions (e.g., /data/app/...).
r_dir_file(artd, apk_data_file)

# Read access to /vendor/app.
r_dir_file(artd, vendor_app_file)

# Read/write access to all compilation artifacts generated on device for apps'
# primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
allow artd dalvikcache_data_file:dir create_dir_perms;
allow artd dalvikcache_data_file:file create_file_perms;

# Read access to the ART APEX data directory.
# Needed for reading the boot image generated on device.
allow artd apex_module_data_file:dir { getattr search };
r_dir_file(artd, apex_art_data_file)

# Read access to /apex/apex-info-list.xml
# Needed for getting APEX versions.
allow artd apex_info_file:file r_file_perms;

# Allow getting root capabilities to bypass permission checks.
# - "dac_override" and "dac_read_search" are for
#   - reading secondary dex'es in app data directories (reading primary dex'es
#     doesn't need root capabilities)
#   - managing (CRUD) compilation artifacts in both APK directories for primary
#     dex'es and in app data directories for secondary dex'es
#   - managing (CRUD) profile files for both primary dex'es and secondary dex'es
# - "fowner" is for adjusting the file permissions of compilation artifacts and
#   profile files based on whether they include user data or not.
allow artd self:global_capability_class_set { dac_override dac_read_search fowner };
Add SELinux properties for artd Test: boot device and check for artd process Change-Id: I2a161701102ecbde3e293af0346d1db0b11d4aab 2021-03-03 21:30:28 +01:00			`# art service daemon`
Allow artd to check optimization status. Bug: 233383589 Test: - 1. adb shell pm art get-optimization-status com.google.android.youtube 2. See no SELinux denials. Test: - 1. adb shell pm compile -m speed com.google.android.youtube 2. adb shell pm art get-optimization-status com.google.android.youtube 3. See no SELinux denials. Test: - 1. adb shell pm install /product/app/YouTube/YouTube.apk 2. adb shell pm art get-optimization-status com.google.android.youtube 3. See no SELinux denials. Change-Id: I943ebca4ec02c356fa0399b13f6154e7623f228b 2022-05-26 14:55:33 +02:00			`type artd, domain, coredomain;`
Add SELinux properties for artd Test: boot device and check for artd process Change-Id: I2a161701102ecbde3e293af0346d1db0b11d4aab 2021-03-03 21:30:28 +01:00			`type artd_exec, system_file_type, exec_type, file_type;`
Allow artd to check optimization status. Bug: 233383589 Test: - 1. adb shell pm art get-optimization-status com.google.android.youtube 2. See no SELinux denials. Test: - 1. adb shell pm compile -m speed com.google.android.youtube 2. adb shell pm art get-optimization-status com.google.android.youtube 3. See no SELinux denials. Test: - 1. adb shell pm install /product/app/YouTube/YouTube.apk 2. adb shell pm art get-optimization-status com.google.android.youtube 3. See no SELinux denials. Change-Id: I943ebca4ec02c356fa0399b13f6154e7623f228b 2022-05-26 14:55:33 +02:00			`type artd_tmpfs, file_type;`
Add SELinux properties for artd Test: boot device and check for artd process Change-Id: I2a161701102ecbde3e293af0346d1db0b11d4aab 2021-03-03 21:30:28 +01:00
			`# Allow artd to publish a binder service and make binder calls.`
			`binder_use(artd)`
			`add_service(artd, artd_service)`
			`allow artd dumpstate:fifo_file { getattr write };`

			`init_daemon_domain(artd)`
Enable ART properties modularization ART is becoming a module and we need to be able to add new properties without modifying the non updatable part of the platform: - convert ART properties to use prefix in the namespace of [ro].dalvik.vm. - enable appdomain and coredomain to read device_config properties that configure ART Test: boot Bug: 181748174 Change-Id: Id23ff78474dba947301e1b6243a112b0f5b4a832 2021-05-19 00:33:08 +02:00
			`# Allow query ART device config properties`
			`get_prop(artd, device_config_runtime_native_prop)`
			`get_prop(artd, device_config_runtime_native_boot_prop)`
Allow artd to check optimization status. Bug: 233383589 Test: - 1. adb shell pm art get-optimization-status com.google.android.youtube 2. See no SELinux denials. Test: - 1. adb shell pm compile -m speed com.google.android.youtube 2. adb shell pm art get-optimization-status com.google.android.youtube 3. See no SELinux denials. Test: - 1. adb shell pm install /product/app/YouTube/YouTube.apk 2. adb shell pm art get-optimization-status com.google.android.youtube 3. See no SELinux denials. Change-Id: I943ebca4ec02c356fa0399b13f6154e7623f228b 2022-05-26 14:55:33 +02:00
			`# Access to "odsign.verification.success" for deciding whether to deny files in`
			`# the ART APEX data directory.`
			`get_prop(artd, odsign_prop)`

			`# Reading an APK opens a ZipArchive, which unpack to tmpfs.`
			`# Use tmpfs_domain() which will give tmpfs files created by artd their`
			`# own label, which differs from other labels created by other processes.`
			`# This allows to distinguish in policy files created by artd vs other`
			`# processes.`
			`tmpfs_domain(artd)`

			`# Allow testing userfaultfd support.`
			`userfaultfd_use(artd)`

			`# Read access to primary dex'es on writable partitions (e.g., /data/app/...).`
			`r_dir_file(artd, apk_data_file)`

			`# Read access to /vendor/app.`
			`r_dir_file(artd, vendor_app_file)`

Allow artd to get root capabilities and write to dalvikcache_data_file. This CL adds rules to allow artd to delete optimized artifacts. In general, some functionalities from installd are being migrated to artd, so artd needs permissions to do what installd is doing: managing profiles and compilation artifacts that belong to individual apps. Bug: 225827974 Test: adb shell pm art delete-optimized-artifacts com.google.android.youtube Change-Id: I1780cdfb481175fd3b0bc9031fdabb8e7cd71a12 2022-06-07 16:20:58 +02:00			`# Read/write access to all compilation artifacts generated on device for apps'`
			`# primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)`
			`allow artd dalvikcache_data_file:dir create_dir_perms;`
			`allow artd dalvikcache_data_file:file create_file_perms;`
Allow artd to check optimization status. Bug: 233383589 Test: - 1. adb shell pm art get-optimization-status com.google.android.youtube 2. See no SELinux denials. Test: - 1. adb shell pm compile -m speed com.google.android.youtube 2. adb shell pm art get-optimization-status com.google.android.youtube 3. See no SELinux denials. Test: - 1. adb shell pm install /product/app/YouTube/YouTube.apk 2. adb shell pm art get-optimization-status com.google.android.youtube 3. See no SELinux denials. Change-Id: I943ebca4ec02c356fa0399b13f6154e7623f228b 2022-05-26 14:55:33 +02:00
			`# Read access to the ART APEX data directory.`
			`# Needed for reading the boot image generated on device.`
			`allow artd apex_module_data_file:dir { getattr search };`
			`r_dir_file(artd, apex_art_data_file)`

			`# Read access to /apex/apex-info-list.xml`
			`# Needed for getting APEX versions.`
			`allow artd apex_info_file:file r_file_perms;`
Allow artd to get root capabilities and write to dalvikcache_data_file. This CL adds rules to allow artd to delete optimized artifacts. In general, some functionalities from installd are being migrated to artd, so artd needs permissions to do what installd is doing: managing profiles and compilation artifacts that belong to individual apps. Bug: 225827974 Test: adb shell pm art delete-optimized-artifacts com.google.android.youtube Change-Id: I1780cdfb481175fd3b0bc9031fdabb8e7cd71a12 2022-06-07 16:20:58 +02:00
			`# Allow getting root capabilities to bypass permission checks.`
			`# - "dac_override" and "dac_read_search" are for`
			`# - reading secondary dex'es in app data directories (reading primary dex'es`
			`# doesn't need root capabilities)`
			`# - managing (CRUD) compilation artifacts in both APK directories for primary`
			`# dex'es and in app data directories for secondary dex'es`
			`# - managing (CRUD) profile files for both primary dex'es and secondary dex'es`
			`# - "fowner" is for adjusting the file permissions of compilation artifacts and`
			`# profile files based on whether they include user data or not.`
			`allow artd self:global_capability_class_set { dac_override dac_read_search fowner };`