Permissions for odrefresh and /data/misc/apexdata/com.android.art
odrefresh is the process responsible for checking and creating ART compilation artifacts that live in the ART APEX data directory (/data/misc/apexdata/com.android.art). There are two types of change here: 1) enabling odrefresh to run dex2oat and write updated boot class path and system server AOT artifacts into the ART APEX data directory. 2) enabling the zygote and assorted diagnostic tools to use the updated AOT artifacts. odrefresh uses two file contexts: apex_art_data_file and apex_art_staging_data_file. When odrefresh invokes dex2oat, the generated files have the apex_art_staging_data_file label (which allows writing). odrefresh then moves these files from the staging area to their installation area and gives them the apex_art_data_file label. Bug: 160683548 Test: adb root && adb shell /apex/com.android.art/bin/odrefresh Change-Id: I9fa290e0c9c1b7b82be4dacb9f2f8cb8c11e4895
This commit is contained in:
parent
b8e865e1ee
commit
8f75f76fbd
25 changed files with 167 additions and 35 deletions
|
@ -4,5 +4,6 @@
|
|||
(/.*)? u:object_r:system_file:s0
|
||||
/bin/dex2oat(32|64)? u:object_r:dex2oat_exec:s0
|
||||
/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
|
||||
/bin/odrefresh u:object_r:odrefresh_exec:s0
|
||||
/bin/profman u:object_r:profman_exec:s0
|
||||
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
|
||||
|
|
|
@ -4,5 +4,6 @@
|
|||
(/.*)? u:object_r:system_file:s0
|
||||
/bin/dex2oat(d)?(32|64)? u:object_r:dex2oat_exec:s0
|
||||
/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
|
||||
/bin/odrefresh u:object_r:odrefresh_exec:s0
|
||||
/bin/profman(d)? u:object_r:profman_exec:s0
|
||||
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
|
||||
|
|
|
@ -12,6 +12,8 @@ allow apexd apex_metadata_file:dir create_dir_perms;
|
|||
allow apexd apex_metadata_file:file create_file_perms;
|
||||
|
||||
# Allow apexd to create files and directories for snapshots of apex data
|
||||
allow apexd apex_art_data_file:dir { create_dir_perms relabelto };
|
||||
allow apexd apex_art_data_file:file { create_file_perms relabelto };
|
||||
allow apexd apex_permission_data_file:dir { create_dir_perms relabelto };
|
||||
allow apexd apex_permission_data_file:file { create_file_perms relabelto };
|
||||
allow apexd apex_module_data_file:dir { create_dir_perms relabelfrom };
|
||||
|
|
|
@ -62,3 +62,25 @@ get_prop(appdomain, camera_calibration_prop)
|
|||
|
||||
# Allow to read db.log.detailed, db.log.slow_query_threshold*
|
||||
get_prop(appdomain, sqlite_log_prop)
|
||||
|
||||
# Read /data/misc/apexdata/com.android.art
|
||||
allow appdomain { apex_art_data_file apex_module_data_file }:dir search;
|
||||
allow appdomain apex_art_data_file:file r_file_perms;
|
||||
|
||||
# Sensitive app domains are not allowed to execute from /data
|
||||
# to prevent persistence attacks and ensure all code is executed
|
||||
# from read-only locations.
|
||||
neverallow {
|
||||
bluetooth
|
||||
isolated_app
|
||||
nfc
|
||||
radio
|
||||
shared_relro
|
||||
system_app
|
||||
} {
|
||||
data_file_type
|
||||
-apex_art_data_file
|
||||
-dalvikcache_data_file
|
||||
-system_data_file # shared libs in apks
|
||||
-apk_data_file
|
||||
}:file no_x_file_perms;
|
||||
|
|
|
@ -8,6 +8,8 @@
|
|||
ab_update_gki_prop
|
||||
adbd_config_prop
|
||||
apc_service
|
||||
apex_art_data_file
|
||||
apex_art_staging_data_file
|
||||
apex_info_file
|
||||
cgroup_desc_api_file
|
||||
cgroup_v2
|
||||
|
@ -44,6 +46,8 @@
|
|||
mediatranscoding_tmpfs
|
||||
music_recognition_service
|
||||
nfc_logs_data_file
|
||||
odrefresh
|
||||
odrefresh_exec
|
||||
people_service
|
||||
persist_vendor_debug_wifi_prop
|
||||
power_debug_prop
|
||||
|
|
|
@ -47,3 +47,7 @@ neverallow crash_dump {
|
|||
|
||||
neverallow crash_dump self:process ptrace;
|
||||
neverallow crash_dump gpu_device:chr_file *;
|
||||
|
||||
# Read ART APEX data directory
|
||||
allow crash_dump apex_art_data_file:dir { getattr search };
|
||||
allow crash_dump apex_art_data_file:file r_file_perms;
|
||||
|
|
|
@ -32,6 +32,21 @@ allow dex2oat user_profile_data_file:file { getattr read lock map };
|
|||
# the framework.
|
||||
allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock map };
|
||||
|
||||
# Allow dex2oat to find files and directories under /data/misc/apexdata/com.android.runtime.
|
||||
allow dex2oat apex_module_data_file:dir search;
|
||||
|
||||
# Allow dex2oat to use file descriptors passed from odrefresh.
|
||||
allow dex2oat odrefresh:fd use;
|
||||
|
||||
# Allow dex2oat to write to file descriptors from odrefresh for files
|
||||
# in the staging area.
|
||||
allow dex2oat apex_art_staging_data_file:dir r_dir_perms;
|
||||
allow dex2oat apex_art_staging_data_file:file { getattr map read write unlink };
|
||||
|
||||
# Allow dex2oat to read artifacts from odrefresh.
|
||||
allow dex2oat apex_art_data_file:dir r_dir_perms;
|
||||
allow dex2oat apex_art_data_file:file r_file_perms;
|
||||
|
||||
##################
|
||||
# A/B OTA Dexopt #
|
||||
##################
|
||||
|
|
|
@ -14,12 +14,21 @@ r_dir_file(dexoptanalyzer, vendor_app_file)
|
|||
# processes.
|
||||
tmpfs_domain(dexoptanalyzer)
|
||||
|
||||
# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
|
||||
# app_data_file the oat file is symlinked to the original file in /system.
|
||||
# Allow dexoptanalyzer to read files in the dalvik cache.
|
||||
allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
|
||||
allow dexoptanalyzer dalvikcache_data_file:file r_file_perms;
|
||||
|
||||
# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
|
||||
# app_data_file the oat file is symlinked to the original file in /system.
|
||||
allow dexoptanalyzer dalvikcache_data_file:lnk_file read;
|
||||
|
||||
# Allow dexoptanalyzer to read files in the ART APEX data directory.
|
||||
allow dexoptanalyzer { apex_art_data_file apex_module_data_file }:dir { getattr search };
|
||||
allow dexoptanalyzer apex_art_data_file:file r_file_perms;
|
||||
|
||||
# Allow dexoptanalyzer to use file descriptors from odrefresh.
|
||||
allow dexoptanalyzer odrefresh:fd use;
|
||||
|
||||
allow dexoptanalyzer installd:fd use;
|
||||
allow dexoptanalyzer installd:fifo_file { getattr write };
|
||||
|
||||
|
|
|
@ -271,6 +271,40 @@ neverallow {
|
|||
-otapreopt_slot
|
||||
} dalvikcache_data_file:dir no_w_dir_perms;
|
||||
|
||||
# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it
|
||||
# contains boot class path and system server AOT artifacts following an ART APEX Mainline update.
|
||||
neverallow {
|
||||
domain
|
||||
# art processes
|
||||
-odrefresh
|
||||
# others
|
||||
-apexd
|
||||
-init
|
||||
-vold_prepare_subdirs
|
||||
} apex_art_data_file:file no_w_file_perms;
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
# art processes
|
||||
-odrefresh
|
||||
# others
|
||||
-apexd
|
||||
-init
|
||||
-vold_prepare_subdirs
|
||||
} apex_art_data_file:dir no_w_dir_perms;
|
||||
|
||||
# Protect most domains from executing arbitrary content from /data.
|
||||
neverallow {
|
||||
domain
|
||||
-appdomain
|
||||
} {
|
||||
data_file_type
|
||||
-apex_art_data_file
|
||||
-dalvikcache_data_file
|
||||
-system_data_file # shared libs in apks
|
||||
-apk_data_file
|
||||
}:file no_x_file_perms;
|
||||
|
||||
# Minimize dac_override and dac_read_search.
|
||||
# Instead of granting them it is usually better to add the domain to
|
||||
# a Unix group or change the permissions of a file.
|
||||
|
|
|
@ -32,3 +32,9 @@ type emergency_data_file, file_type, data_file_type, core_data_file_type;
|
|||
|
||||
# /data/misc/profcollectd
|
||||
type profcollectd_data_file, file_type, data_file_type, core_data_file_type;
|
||||
|
||||
# /data/misc/apexdata/com.android.art
|
||||
type apex_art_data_file, file_type, data_file_type, core_data_file_type;
|
||||
|
||||
# /data/misc/apexdata/com.android.art/staging
|
||||
type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type;
|
||||
|
|
|
@ -555,6 +555,7 @@
|
|||
# Misc data
|
||||
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
|
||||
/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0
|
||||
/data/misc/apexdata/com\.android\.art(/.*)? u:object_r:apex_art_data_file:s0
|
||||
/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
|
||||
/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
|
||||
/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
|
||||
|
|
|
@ -41,6 +41,7 @@ perfetto_producer(heapprofd)
|
|||
# executables/libraries/etc to do stack unwinding.
|
||||
r_dir_file(heapprofd, nativetest_data_file)
|
||||
r_dir_file(heapprofd, system_file_type)
|
||||
r_dir_file(heapprofd, apex_art_data_file)
|
||||
r_dir_file(heapprofd, apk_data_file)
|
||||
r_dir_file(heapprofd, dalvikcache_data_file)
|
||||
r_dir_file(heapprofd, vendor_file_type)
|
||||
|
|
|
@ -136,6 +136,8 @@ get_prop(incidentd, device_config_runtime_native_boot_prop)
|
|||
allow incidentd system_file:file lock;
|
||||
# Incidentd should never exec from the memory (e.g. JIT cache). These denials are expected.
|
||||
dontaudit incidentd dalvikcache_data_file:dir r_dir_perms;
|
||||
dontaudit incidentd apex_module_data_file:dir r_dir_perms;
|
||||
dontaudit incidentd apex_art_data_file:dir r_dir_perms;
|
||||
dontaudit incidentd tmpfs:file rwx_file_perms;
|
||||
|
||||
# logd access - work to be done is a PII safe log (possibly an event log?)
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
typeattribute iorap_inode2filename coredomain;
|
||||
|
||||
# Grant access to open most of the files under /
|
||||
allow iorap_inode2filename { apex_module_data_file apex_art_data_file }:dir r_dir_perms;
|
||||
allow iorap_inode2filename apex_data_file:file { getattr };
|
||||
allow iorap_inode2filename dalvikcache_data_file:dir { getattr open read search };
|
||||
allow iorap_inode2filename dalvikcache_data_file:file { getattr };
|
||||
allow iorap_inode2filename dex2oat_exec:lnk_file { getattr open read };
|
||||
|
|
32
private/odrefresh.te
Normal file
32
private/odrefresh.te
Normal file
|
@ -0,0 +1,32 @@
|
|||
# odrefresh
|
||||
type odrefresh, domain, coredomain;
|
||||
type odrefresh_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
# Allow odrefresh to create files and directories for on device signing.
|
||||
allow odrefresh apex_module_data_file:dir { getattr search };
|
||||
allow odrefresh apex_art_data_file:dir { create_dir_perms relabelfrom };
|
||||
allow odrefresh apex_art_data_file:file { open create write read getattr unlink };
|
||||
|
||||
# Staging area labels (/data/misc/apexdata/com.android.art/staging). odrefresh
|
||||
# sets up files here and passes file descriptors for dex2oat to write to.
|
||||
allow odrefresh apex_art_staging_data_file:dir { create_dir_perms relabelto };
|
||||
allow odrefresh apex_art_staging_data_file:file create_file_perms;
|
||||
|
||||
# Run dex2oat in its own sandbox.
|
||||
domain_auto_trans(odrefresh, dex2oat_exec, dex2oat)
|
||||
|
||||
# Run dexoptanalyzer in its own sandbox.
|
||||
domain_auto_trans(odrefresh, dexoptanalyzer_exec, dexoptanalyzer)
|
||||
|
||||
# Do not audit unused resources from parent processes (adb, shell, su).
|
||||
# These appear to be unnecessary for odrefresh.
|
||||
dontaudit odrefresh { adbd shell }:fd use;
|
||||
dontaudit odrefresh devpts:chr_file rw_file_perms;
|
||||
dontaudit odrefresh adbd:unix_stream_socket { getattr read write };
|
||||
|
||||
# Allow odrefresh to read /apex/apex-info-list.xml to determine
|
||||
# whether current apex is in /system or /data.
|
||||
allow odrefresh apex_info_file:file r_file_perms;
|
||||
|
||||
# No other processes should be creating files in the staging area.
|
||||
neverallow { domain -init -odrefresh } apex_art_staging_data_file:file open;
|
|
@ -13,6 +13,9 @@ userdebug_or_eng(`
|
|||
# Put the incident command into its domain so it is the same on user, userdebug and eng.
|
||||
domain_auto_trans(su, incident_exec, incident)
|
||||
|
||||
# Put the odrefresh command into its domain.
|
||||
domain_auto_trans(su, odrefresh_exec, odrefresh)
|
||||
|
||||
# Put the perfetto command into its domain so it is the same on user, userdebug and eng.
|
||||
domain_auto_trans(su, perfetto_exec, perfetto)
|
||||
|
||||
|
|
|
@ -32,8 +32,8 @@ allowxperm system_server incremental_control_file:file ioctl { INCFS_IOCTL_CREAT
|
|||
allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS INCFS_IOCTL_GET_FILLED_BLOCKS };
|
||||
|
||||
# For art.
|
||||
allow system_server dalvikcache_data_file:dir r_dir_perms;
|
||||
allow system_server dalvikcache_data_file:file r_file_perms;
|
||||
allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
|
||||
allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
|
||||
|
||||
# When running system server under --invoke-with, we'll try to load the boot image under the
|
||||
# system server domain, following links to the system partition.
|
||||
|
|
|
@ -28,6 +28,7 @@ allow traced_perf packages_list_file:file r_file_perms;
|
|||
# Allow reading files for stack unwinding and symbolization.
|
||||
r_dir_file(traced_perf, nativetest_data_file)
|
||||
r_dir_file(traced_perf, system_file_type)
|
||||
r_dir_file(traced_perf, apex_art_data_file)
|
||||
r_dir_file(traced_perf, apk_data_file)
|
||||
r_dir_file(traced_perf, dalvikcache_data_file)
|
||||
r_dir_file(traced_perf, vendor_file_type)
|
||||
|
|
|
@ -48,6 +48,7 @@ allow traced_probes system_file:dir { open read };
|
|||
allow traced_probes self:global_capability_class_set dac_read_search;
|
||||
|
||||
allow traced_probes apk_data_file:dir { getattr open read search };
|
||||
allow traced_probes { apex_art_data_file apex_module_data_file }:dir { getattr open read search };
|
||||
allow traced_probes dalvikcache_data_file:dir { getattr open read search };
|
||||
userdebug_or_eng(`
|
||||
# search and getattr are granted via domain and coredomain, respectively.
|
||||
|
@ -104,6 +105,8 @@ neverallow traced_probes domain:process ptrace;
|
|||
# Disallows access to /data files.
|
||||
neverallow traced_probes {
|
||||
data_file_type
|
||||
-apex_module_data_file
|
||||
-apex_art_data_file
|
||||
-apk_data_file
|
||||
-dalvikcache_data_file
|
||||
-system_data_file
|
||||
|
|
|
@ -16,6 +16,7 @@ allow vold_prepare_subdirs {
|
|||
vendor_data_file
|
||||
}:dir { open read write add_name remove_name rmdir relabelfrom };
|
||||
allow vold_prepare_subdirs {
|
||||
apex_art_data_file
|
||||
apex_module_data_file
|
||||
apex_permission_data_file
|
||||
apex_rollback_data_file
|
||||
|
@ -30,6 +31,8 @@ allow vold_prepare_subdirs {
|
|||
vold_data_file
|
||||
}:dir { create_dir_perms relabelto };
|
||||
allow vold_prepare_subdirs {
|
||||
apex_art_data_file
|
||||
apex_art_staging_data_file
|
||||
apex_module_data_file
|
||||
apex_permission_data_file
|
||||
apex_rollback_data_file
|
||||
|
|
|
@ -28,9 +28,10 @@ allow webview_zygote self:process setcurrent;
|
|||
allow webview_zygote isolated_app:process dyntransition;
|
||||
|
||||
# For art.
|
||||
allow webview_zygote dalvikcache_data_file:dir r_dir_perms;
|
||||
allow webview_zygote { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
|
||||
allow webview_zygote dalvikcache_data_file:lnk_file r_file_perms;
|
||||
allow webview_zygote dalvikcache_data_file:file { r_file_perms execute };
|
||||
allow webview_zygote { apex_art_data_file dalvikcache_data_file }:file { r_file_perms execute };
|
||||
allow webview_zygote apex_module_data_file:dir search;
|
||||
|
||||
# Allow webview_zygote to create JIT memory.
|
||||
allow webview_zygote self:process execmem;
|
||||
|
|
|
@ -50,6 +50,13 @@ allow zygote resourcecache_data_file:file create_file_perms;
|
|||
# is ensured by fsverity protection (checked in art_apex_boot_integrity).
|
||||
allow zygote dalvikcache_data_file:file execute;
|
||||
|
||||
# Allow zygote to find files in APEX data directories.
|
||||
allow zygote apex_module_data_file:dir search;
|
||||
|
||||
# Allow zygote to find and map files created by on device signing.
|
||||
allow zygote apex_art_data_file:dir { getattr search };
|
||||
allow zygote apex_art_data_file:file { r_file_perms execute };
|
||||
|
||||
# Bind mount on /data/data and mounted volumes
|
||||
allow zygote { system_data_file mnt_expand_file }:dir mounton;
|
||||
|
||||
|
@ -225,9 +232,12 @@ neverallow zygote ~{
|
|||
app_zygote
|
||||
}:process dyntransition;
|
||||
|
||||
# Zygote should never execute anything from /data except for /data/dalvik-cache files.
|
||||
# Zygote should never execute anything from /data except for
|
||||
# /data/dalvik-cache files or files generated during on-device
|
||||
# signing under /data/misc/apexdata/com.android.art/.
|
||||
neverallow zygote {
|
||||
data_file_type
|
||||
-apex_art_data_file # map PROT_EXEC
|
||||
-dalvikcache_data_file # map PROT_EXEC
|
||||
}:file no_x_file_perms;
|
||||
|
||||
|
|
|
@ -545,23 +545,6 @@ neverallow appdomain {
|
|||
tmpfs
|
||||
}:lnk_file no_w_file_perms;
|
||||
|
||||
# Sensitive app domains are not allowed to execute from /data
|
||||
# to prevent persistence attacks and ensure all code is executed
|
||||
# from read-only locations.
|
||||
neverallow {
|
||||
bluetooth
|
||||
isolated_app
|
||||
nfc
|
||||
radio
|
||||
shared_relro
|
||||
system_app
|
||||
} {
|
||||
data_file_type
|
||||
-dalvikcache_data_file
|
||||
-system_data_file # shared libs in apks
|
||||
-apk_data_file
|
||||
}:file no_x_file_perms;
|
||||
|
||||
# Applications should use the activity model for receiving events
|
||||
neverallow {
|
||||
appdomain
|
||||
|
|
|
@ -28,6 +28,9 @@ allow crash_dump exec_type:file r_file_perms;
|
|||
allow crash_dump dalvikcache_data_file:dir { search getattr };
|
||||
allow crash_dump dalvikcache_data_file:file r_file_perms;
|
||||
|
||||
# Read APEX data directories.
|
||||
allow crash_dump apex_module_data_file:dir { getattr search };
|
||||
|
||||
# Read APK files.
|
||||
r_dir_file(crash_dump, apk_data_file);
|
||||
|
||||
|
|
|
@ -469,17 +469,6 @@ neverallow domain device:chr_file { open read write };
|
|||
# Files from cache should never be executed
|
||||
neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
|
||||
|
||||
# Protect most domains from executing arbitrary content from /data.
|
||||
neverallow {
|
||||
domain
|
||||
-appdomain
|
||||
} {
|
||||
data_file_type
|
||||
-dalvikcache_data_file
|
||||
-system_data_file # shared libs in apks
|
||||
-apk_data_file
|
||||
}:file no_x_file_perms;
|
||||
|
||||
# The test files and executables MUST not be accessible to any domain
|
||||
neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms;
|
||||
neverallow domain nativetest_data_file:dir no_w_dir_perms;
|
||||
|
|
Loading…
Reference in a new issue