Merge "Allow artd to access primary dex'es in external and vendor partitions." am: 7269c1bfe9

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2345244 Change-Id: I4a54353c80cb8708d4ca5d494651031fbf58b312 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2022-12-12 17:02:46 +00:00 · 2022-12-12 17:02:46 +00:00 · 36dc423a33
commit 36dc423a33
parent dcd7053835 7269c1bfe9
2 changed files with 13 additions and 2 deletions
--- a/private/artd.te
+++ b/private/artd.te
@ -29,12 +29,21 @@ tmpfs_domain(artd)
 # Allow testing userfaultfd support.
 userfaultfd_use(artd)

-# Read access to primary dex'es on writable partitions (e.g., /data/app/...).
+# Read access to primary dex'es on writable partitions
+# ({/data,/mnt/expand/<volume-uuid>}/app/...).
+allow artd mnt_expand_file:dir { getattr search };
 r_dir_file(artd, apk_data_file)

-# Read access to /vendor/app.
+# Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
 r_dir_file(artd, vendor_app_file)

+# Read access to vendor overlay APKs ({/vendor,/odm,/oem}/overlay/...).
+allow artd oemfs:dir { getattr search };
+r_dir_file(artd, vendor_overlay_file)
+
+# Read access to vendor shared libraries ({/vendor,/odm}/framework/...).
+r_dir_file(artd, vendor_framework_file)
+
 # Read/write access to all compilation artifacts generated on device for apps'
 # primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
 allow artd dalvikcache_data_file:dir create_dir_perms;
--- a/private/coredomain.te
+++ b/private/coredomain.te
@ -92,6 +92,7 @@ full_treble_only(`
    neverallow {
        coredomain
        -appdomain
+        -artd
        -idmap
        -init
        -installd
@ -110,6 +111,7 @@ full_treble_only(`
    neverallow {
        coredomain
        -appdomain
+        -artd
        -idmap
        -init
        -installd