Add SElinux policies to allow foreign dex usage tracking.

This is a special profile folder where apps will leave profile markers
for the dex files they load and don't own. System server will read the
markers and decide which apk should be fully compiled instead of
profile guide compiled.

Apps need only to be able to create (touch) files in this directory.
System server needs only to be able to check wheter or not a file with a
given name exists.

Bug: 27334750
Bug: 26080105

Change-Id: I2256e4aba1ec0e5117de6497123223b9a74f404e
This commit is contained in:
Calin Juravle 2016-02-23 16:34:23 +00:00
parent ba12da9572
commit 837bc42f5f
6 changed files with 19 additions and 0 deletions

7
app.te
View file

@ -116,6 +116,9 @@ allow appdomain shell_data_file:file { write getattr };
# Write profiles /data/misc/profiles # Write profiles /data/misc/profiles
allow appdomain user_profile_data_file:dir { search write add_name }; allow appdomain user_profile_data_file:dir { search write add_name };
allow appdomain user_profile_data_file:file create_file_perms; allow appdomain user_profile_data_file:file create_file_perms;
# Profiles for foreign dex files are just markers and only need create permissions.
allow appdomain user_profile_foreign_dex_data_file:dir { search write add_name };
allow appdomain user_profile_foreign_dex_data_file:file create;
# Send heap dumps to system_server via an already open file descriptor # Send heap dumps to system_server via an already open file descriptor
# % adb shell am set-watch-heap com.android.systemui 1048576 # % adb shell am set-watch-heap com.android.systemui 1048576
@ -419,3 +422,7 @@ neverallow appdomain {
security_file security_file
tmpfs tmpfs
}:lnk_file no_w_file_perms; }:lnk_file no_w_file_perms;
# Foreign dex profiles are just markers. Prevent apps to do anything but touch them.
neverallow appdomain user_profile_foreign_dex_data_file:file rw_file_perms;
neverallow appdomain user_profile_foreign_dex_data_file:dir { open getattr read ioctl remove_name };

View file

@ -88,6 +88,7 @@ type dalvikcache_data_file, file_type, data_file_type;
type ota_data_file, file_type, data_file_type; type ota_data_file, file_type, data_file_type;
# /data/misc/profiles # /data/misc/profiles
type user_profile_data_file, file_type, data_file_type, mlstrustedobject; type user_profile_data_file, file_type, data_file_type, mlstrustedobject;
type user_profile_foreign_dex_data_file, file_type, data_file_type, mlstrustedobject;
# /data/resource-cache # /data/resource-cache
type resourcecache_data_file, file_type, data_file_type; type resourcecache_data_file, file_type, data_file_type;
# /data/local - writable by shell # /data/local - writable by shell

View file

@ -294,6 +294,7 @@
# TODO(calin) label profile reference differently so that only # TODO(calin) label profile reference differently so that only
# profman run as a special user can write to them # profman run as a special user can write to them
/data/misc/profiles/cur(/.*)? u:object_r:user_profile_data_file:s0 /data/misc/profiles/cur(/.*)? u:object_r:user_profile_data_file:s0
/data/misc/profiles/cur/[0-9]+/foreign-dex(/.*)? u:object_r:user_profile_foreign_dex_data_file:s0
/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0 /data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
# Fingerprint data # Fingerprint data

View file

@ -115,6 +115,8 @@ allow installd {
# Similar for the files under /data/misc/profiles/ # Similar for the files under /data/misc/profiles/
allow installd user_profile_data_file:dir create_dir_perms; allow installd user_profile_data_file:dir create_dir_perms;
allow installd user_profile_data_file:file create_file_perms; allow installd user_profile_data_file:file create_file_perms;
allow installd user_profile_data_file:dir rmdir;
allow installd user_profile_data_file:file unlink;
# Create and use pty created by android_fork_execvp(). # Create and use pty created by android_fork_execvp().
allow installd devpts:chr_file rw_file_perms; allow installd devpts:chr_file rw_file_perms;

View file

@ -11,6 +11,13 @@ tmpfs_domain(system_server)
allow system_server dalvikcache_data_file:file execute; allow system_server dalvikcache_data_file:file execute;
allow system_server dalvikcache_data_file:dir r_dir_perms; allow system_server dalvikcache_data_file:dir r_dir_perms;
# Enable system server to check the foreign dex usage markers.
# We need search on top level directories so that we can get to the files
allow system_server user_profile_data_file:dir search;
allow system_server user_profile_data_file:file getattr;
allow system_server user_profile_foreign_dex_data_file:dir search;
allow system_server user_profile_foreign_dex_data_file:file getattr;
# /data/resource-cache # /data/resource-cache
allow system_server resourcecache_data_file:file r_file_perms; allow system_server resourcecache_data_file:file r_file_perms;
allow system_server resourcecache_data_file:dir r_dir_perms; allow system_server resourcecache_data_file:dir r_dir_perms;

View file

@ -173,6 +173,7 @@ neverallow untrusted_app {
-media_rw_data_file # Internal storage. Known that apps can -media_rw_data_file # Internal storage. Known that apps can
# leave artfacts here after uninstall. # leave artfacts here after uninstall.
-user_profile_data_file # Access to profile files -user_profile_data_file # Access to profile files
-user_profile_foreign_dex_data_file # Access to profile files
userdebug_or_eng(` userdebug_or_eng(`
-method_trace_data_file # only on ro.debuggable=1 -method_trace_data_file # only on ro.debuggable=1
-coredump_file # userdebug/eng only -coredump_file # userdebug/eng only