Fix sepolicy for secondary dex files

dexoptanalyzer need read access on the secondary dex files and of the main apk files in order to successfully evaluate and optimize them. Example of denial: audit(0.0:30): avc: denied { read } for path="/data/app/~~Zux_isdY0NBkRWPp01oAVg==/com.example.secondaryrepro-wH9zezMSCzIjcKdIMtrw7A==/base.apk" dev="vdc" ino=40966 scontext=u:r:dexoptanalyzer:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0 app=com.example.secondaryrepro Test: adb shell cmd package compile -r bg-dexopt --secondary-dex app Bug: 160471235 Bug: 160351055 Merged-In: Id0bda5237d3ce1620d4f6ee89595836b4e1f3abf Change-Id: Id0bda5237d3ce1620d4f6ee89595836b4e1f3abf
2020-07-13 18:53:38 -07:00 · 2020-07-13 18:53:38 -07:00 · 0bee120900
commit 0bee120900
parent e30b4b613c
4 changed files with 12 additions and 0 deletions
--- a/prebuilts/api/30.0/private/coredomain.te
+++ b/prebuilts/api/30.0/private/coredomain.te
@ -22,6 +22,7 @@ full_treble_only(`
        coredomain
        -appdomain
        -dex2oat
+        -dexoptanalyzer
        -idmap
        -init
        -installd
@ -38,6 +39,7 @@ full_treble_only(`
        coredomain
        -appdomain
        -dex2oat
+        -dexoptanalyzer
        -idmap
        -init
        -installd
--- a/prebuilts/api/30.0/private/dexoptanalyzer.te
+++ b/prebuilts/api/30.0/private/dexoptanalyzer.te
@ -3,6 +3,10 @@ type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
 type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
 type dexoptanalyzer_tmpfs, file_type;

+r_dir_file(dexoptanalyzer, apk_data_file)
+# Access to /vendor/app
+r_dir_file(dexoptanalyzer, vendor_app_file)
+
 # Reading an APK opens a ZipArchive, which unpack to tmpfs.
 # Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
 # own label, which differs from other labels created by other processes.
--- a/private/coredomain.te
+++ b/private/coredomain.te
@ -22,6 +22,7 @@ full_treble_only(`
        coredomain
        -appdomain
        -dex2oat
+        -dexoptanalyzer
        -idmap
        -init
        -installd
@ -38,6 +39,7 @@ full_treble_only(`
        coredomain
        -appdomain
        -dex2oat
+        -dexoptanalyzer
        -idmap
        -init
        -installd
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@ -3,6 +3,10 @@ type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
 type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
 type dexoptanalyzer_tmpfs, file_type;

+r_dir_file(dexoptanalyzer, apk_data_file)
+# Access to /vendor/app
+r_dir_file(dexoptanalyzer, vendor_app_file)
+
 # Reading an APK opens a ZipArchive, which unpack to tmpfs.
 # Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
 # own label, which differs from other labels created by other processes.