diff --git a/apex/com.android.art-file_contexts b/apex/com.android.art-file_contexts index 83d081ac9..14b68adb3 100644 --- a/apex/com.android.art-file_contexts +++ b/apex/com.android.art-file_contexts @@ -6,6 +6,7 @@ /bin/art_exec u:object_r:art_exec_exec:s0 /bin/artd u:object_r:artd_exec:s0 /bin/dex2oat(32|64)? u:object_r:dex2oat_exec:s0 +/bin/dexopt_chroot_setup u:object_r:dexopt_chroot_setup_exec:s0 /bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0 /bin/odrefresh u:object_r:odrefresh_exec:s0 /bin/profman u:object_r:profman_exec:s0 diff --git a/apex/com.android.art.debug-file_contexts b/apex/com.android.art.debug-file_contexts index a3fc35d55..3af8dc2b3 100644 --- a/apex/com.android.art.debug-file_contexts +++ b/apex/com.android.art.debug-file_contexts @@ -6,6 +6,7 @@ /bin/art_exec u:object_r:art_exec_exec:s0 /bin/artd u:object_r:artd_exec:s0 /bin/dex2oat(d)?(32|64)? u:object_r:dex2oat_exec:s0 +/bin/dexopt_chroot_setup u:object_r:dexopt_chroot_setup_exec:s0 /bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0 /bin/odrefresh u:object_r:odrefresh_exec:s0 /bin/profman(d)? u:object_r:profman_exec:s0 diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go index 31c6bf148..08fe7a4bf 100644 --- a/build/soong/service_fuzzer_bindings.go +++ b/build/soong/service_fuzzer_bindings.go @@ -199,7 +199,8 @@ var ( "gsiservice": EXCEPTION_NO_FUZZER, "appops": EXCEPTION_NO_FUZZER, "appwidget": EXCEPTION_NO_FUZZER, - "artd": EXCEPTION_NO_FUZZER, + "artd": []string{"artd_fuzzer"}, + "artd_pre_reboot": []string{"artd_fuzzer"}, "assetatlas": EXCEPTION_NO_FUZZER, "attention": EXCEPTION_NO_FUZZER, "audio": EXCEPTION_NO_FUZZER, @@ -251,6 +252,7 @@ var ( "device_lock": EXCEPTION_NO_FUZZER, "device_state": EXCEPTION_NO_FUZZER, "devicestoragemonitor": EXCEPTION_NO_FUZZER, + "dexopt_chroot_setup": []string{"dexopt_chroot_setup_fuzzer"}, "diskstats": EXCEPTION_NO_FUZZER, "display": EXCEPTION_NO_FUZZER, "dnsresolver": []string{"resolv_service_fuzzer"}, diff --git a/private/artd.te b/private/artd.te index acab3977d..f8e79fb25 100644 --- a/private/artd.te +++ b/private/artd.te @@ -7,6 +7,7 @@ type artd_tmpfs, file_type; # Allow artd to publish a binder service and make binder calls. binder_use(artd) add_service(artd, artd_service) +add_service(artd, artd_pre_reboot_service) allow artd dumpstate:fifo_file { getattr write }; allow artd dumpstate:fd use; diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil index e19da6c95..3dbb9fdbd 100644 --- a/private/compat/34.0/34.0.ignore.cil +++ b/private/compat/34.0/34.0.ignore.cil @@ -6,7 +6,9 @@ (typeattributeset new_objects ( new_objects archive_service + artd_pre_reboot_service contextual_search_service + dexopt_chroot_setup_service dtbo_block_device ota_build_prop snapuserd_log_data_file diff --git a/private/dexopt_chroot_setup.te b/private/dexopt_chroot_setup.te new file mode 100644 index 000000000..f7bd17a85 --- /dev/null +++ b/private/dexopt_chroot_setup.te @@ -0,0 +1,23 @@ +type dexopt_chroot_setup, domain, coredomain; +type dexopt_chroot_setup_exec, system_file_type, exec_type, file_type; +type dexopt_chroot_setup_tmpfs, file_type; + +# Allow dexopt_chroot_setup to publish a binder service and make binder calls. +binder_use(dexopt_chroot_setup) +add_service(dexopt_chroot_setup, dexopt_chroot_setup_service) +allow dexopt_chroot_setup dumpstate:fifo_file { getattr write }; +allow dexopt_chroot_setup dumpstate:fd use; + +init_daemon_domain(dexopt_chroot_setup) + +# Use tmpfs_domain() which will give tmpfs files created by dexopt_chroot_setup their +# own label, which differs from other labels created by other processes. +# This allows to distinguish in policy files created by dexopt_chroot_setup vs other +# processes. +tmpfs_domain(dexopt_chroot_setup) + +# libart (mark_compact.cc) has some intialization code that touches the cache +# info file and userfaultfd. +allow dexopt_chroot_setup apex_module_data_file:dir { getattr search }; +r_dir_file(dexopt_chroot_setup, apex_art_data_file) +userfaultfd_use(dexopt_chroot_setup) diff --git a/private/service_contexts b/private/service_contexts index 509909787..f981f258c 100644 --- a/private/service_contexts +++ b/private/service_contexts @@ -179,6 +179,7 @@ gsiservice u:object_r:gsi_service:s0 appops u:object_r:appops_service:s0 appwidget u:object_r:appwidget_service:s0 artd u:object_r:artd_service:s0 +artd_pre_reboot u:object_r:artd_pre_reboot_service:s0 assetatlas u:object_r:assetatlas_service:s0 attention u:object_r:attention_service:s0 audio u:object_r:audio_service:s0 @@ -230,6 +231,7 @@ deviceidle u:object_r:deviceidle_service:s0 device_lock u:object_r:devicelock_service:s0 device_state u:object_r:device_state_service:s0 devicestoragemonitor u:object_r:devicestoragemonitor_service:s0 +dexopt_chroot_setup u:object_r:dexopt_chroot_setup_service:s0 diskstats u:object_r:diskstats_service:s0 display u:object_r:display_service:s0 dnsresolver u:object_r:dnsresolver_service:s0 diff --git a/private/system_server.te b/private/system_server.te index 9ea2e9ffe..78366955b 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -283,6 +283,7 @@ binder_call(system_server, appdomain) binder_call(system_server, artd) binder_call(system_server, binderservicedomain) binder_call(system_server, composd) +binder_call(system_server, dexopt_chroot_setup) binder_call(system_server, dumpstate) binder_call(system_server, fingerprintd) binder_call(system_server, gatekeeperd) @@ -940,12 +941,14 @@ allow system_server kernel:security read_policy; add_service(system_server, system_server_service); allow system_server artd_service:service_manager find; +allow system_server artd_pre_reboot_service:service_manager find; allow system_server audioserver_service:service_manager find; allow system_server authorization_service:service_manager find; allow system_server batteryproperties_service:service_manager find; allow system_server cameraserver_service:service_manager find; allow system_server compos_service:service_manager find; allow system_server dataloader_manager_service:service_manager find; +allow system_server dexopt_chroot_setup_service:service_manager find; allow system_server dnsresolver_service:service_manager find; allow system_server drmserver_service:service_manager find; allow system_server dumpstate_service:service_manager find; diff --git a/public/service.te b/public/service.te index a22195618..c9333bd81 100644 --- a/public/service.te +++ b/public/service.te @@ -2,6 +2,7 @@ type aidl_lazy_test_service, service_manager_type; type apc_service, service_manager_type; type apex_service, service_manager_type; type artd_service, service_manager_type; +type artd_pre_reboot_service, service_manager_type; type audioserver_service, service_manager_type, isolated_compute_allowed_service; type authorization_service, service_manager_type; type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type; @@ -10,6 +11,7 @@ type cameraserver_service, service_manager_type, isolated_compute_allowed_s type fwk_camera_service, service_manager_type; type default_android_service, service_manager_type; type device_config_updatable_service, system_api_service, system_server_service,service_manager_type; +type dexopt_chroot_setup_service, service_manager_type; type dnsresolver_service, service_manager_type; type drmserver_service, service_manager_type; type dumpstate_service, service_manager_type;