Update SELinux policy to allow artd to perform secondary dex compilation

Secondary dex files are in app data directories. In order to perform secondary dex compilation, artd needs permissions to: - Read secondary dex files - Create "oat" dir - Create a reference profile in "oat" dir - Rename the reference profile - Delete the reference profile - Read the current profile in "oat" dir - Delete the current profile - Create compilation artifacts in "oat" dir - Rename compilation artifacts - Delete compilation artifacts Bug: 249984283 Test: - 1. adb shell pm art optimize-package --secondary-dex -m speed-profile -f com.google.android.gms 2. See no SELinux denial. Change-Id: I19a0ea7895a54c67959b22085de27d1d0ccc1efc
2022-10-21 17:03:56 +01:00 · 2022-10-21 17:03:56 +01:00 · 2ffeca72a6
commit 2ffeca72a6
parent 4a5c2dee68
4 changed files with 25 additions and 0 deletions
--- a/private/artd.te
+++ b/private/artd.te
@ -67,6 +67,12 @@ allow artd user_profile_root_file:dir { getattr search };
 allow artd user_profile_data_file:dir rw_dir_perms;
 allow artd user_profile_data_file:file create_file_perms;

+# Read/write access to secondary dex files, their profiles, and their
+# compilation artifacts
+# ({/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id>/<package-name>/...).
+allow artd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
+allow artd app_data_file_type:file { create_file_perms relabelfrom relabelto };
+
 # Never allow running other binaries without a domain transition.
 # The only exception is art_exec. It is allowed to use the artd domain because
 # it is a thin wrapper that executes other binaries on behalf of artd.
--- a/private/domain.te
+++ b/private/domain.te
@ -181,6 +181,7 @@ neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr rea
 neverallow {
  domain
  -appdomain
+  -artd # compile secondary dex files
  -installd # creation of sandbox
 } { privapp_data_file app_data_file }:dir_file_class_set { create unlink };

@ -191,6 +192,7 @@ neverallow {
  -adbd
  -appdomain
  -app_zygote
+  -artd # compile secondary dex files
  -dexoptanalyzer
  -installd
  -profman
@ -206,6 +208,7 @@ neverallow {
 neverallow {
  domain
  -appdomain
+  -artd # compile secondary dex files
  -installd
  -rs # spawned by appdomain, so carryover the exception above
 } { privapp_data_file app_data_file }:dir ~r_dir_perms;
@ -214,6 +217,7 @@ neverallow {
  domain
  -appdomain
  -app_zygote
+  -artd # compile secondary dex files
  -installd
  -rs # spawned by appdomain, so carryover the exception above
 } { privapp_data_file app_data_file }:file_class_set open;
@ -221,11 +225,13 @@ neverallow {
 neverallow {
  domain
  -appdomain
+  -artd # compile secondary dex files
  -installd # creation of sandbox
 } { privapp_data_file app_data_file }:dir_file_class_set { create unlink };

 neverallow {
  domain
+  -artd # compile secondary dex files
  -installd
 } { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };

@ -606,10 +612,14 @@ neverallow { domain -ueventd -vendor_init } sysfs_devices_cs_etm:file no_w_file_
 # untrustworthy, and non-allowed domains should not be trusting any content in
 # those directories. We allow shell files to be passed around by file
 # descriptor, but not directly opened.
+# artd doesn't need to access /data/local/tmp, but it needs to access
+# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary
+# dex files.
 neverallow {
  domain
  -adbd
  -appdomain
+  -artd
  -dumpstate
  -installd
  userdebug_or_eng(`-uncrypt')
@ -621,6 +631,7 @@ neverallow {
 neverallow {
  domain
  -appdomain
+  -artd # compile secondary dex files
  -system_server #populate com.android.providers.settings/databases/settings.db.
  -installd # creation of app sandbox
  -traced_probes # resolve inodes for i/o tracing.
--- a/private/mlstrustedsubject.te
+++ b/private/mlstrustedsubject.te
@ -6,16 +6,19 @@

 neverallow {
  mlstrustedsubject
+  -artd # compile secondary dex files
  -installd
 } { app_data_file privapp_data_file }:file ~{ read write map getattr ioctl lock append };

 neverallow {
  mlstrustedsubject
+  -artd # compile secondary dex files
  -installd
 } { app_data_file privapp_data_file }:dir ~{ read getattr search };

 neverallow {
  mlstrustedsubject
+  -artd # compile secondary dex files
  -installd
  -system_server
  -adbd
--- a/public/domain.te
+++ b/public/domain.te
@ -1155,9 +1155,13 @@ neverallow {
 # write access to shell owned directories. The /data/local/tmp
 # directory is untrustworthy, and non-allowed domains should
 # not be trusting any content in those directories.
+# artd doesn't need to access /data/local/tmp, but it needs to access
+# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary
+# dex files.
 neverallow {
  domain
  -adbd
+  -artd
  -dumpstate
  -installd
  -init
@ -1169,6 +1173,7 @@ neverallow {
  domain
  -adbd
  -appdomain
+  -artd
  -dumpstate
  -init
  -installd