From e5a1f64a2e618f939da897e77ad1680b1a49f9a3 Mon Sep 17 00:00:00 2001 From: Calin Juravle Date: Tue, 17 Jan 2017 20:31:31 -0800 Subject: [PATCH] SElinux policies for compiling secondary dex files This CLs adds SElinux policies necessary to compile secondary dex files. When an app loads secondary dex files via the base class loader the files will get reported to PM. During maintance mode PM will compile the secondary dex files which were used via the standard installd model (fork, exec, change uid and lower capabilities). What is needed: dexoptanalyzer - needs to read the dex file and the boot image in order to decide if we need to actually comppile. dex2oat - needs to be able to create *.oat files next to the secondary dex files. Test: devices boots compilation of secondary dex files works without selinux denials cmd package compile --secondary-dex -f -m speed com.google.android.gms Bug: 32871170 Change-Id: I038955b5bc9a72d49f6c24c1cb76276e0f53dc45 --- private/dexoptanalyzer.te | 26 ++++++++++++++++++++++++++ private/file_contexts | 1 + private/installd.te | 3 +++ private/system_server.te | 4 ++++ public/dex2oat.te | 4 ++++ 5 files changed, 38 insertions(+) create mode 100644 private/dexoptanalyzer.te diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te new file mode 100644 index 000000000..2239d2ae8 --- /dev/null +++ b/private/dexoptanalyzer.te @@ -0,0 +1,26 @@ +# dexoptanalyzer +type dexoptanalyzer, domain, mlstrustedsubject; +type dexoptanalyzer_exec, exec_type, file_type; + +# Reading an APK opens a ZipArchive, which unpack to tmpfs. +# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their +# own label, which differs from other labels created by other processes. +# This allows to distinguish in policy files created by dexoptanalyzer vs other +#processes. +tmpfs_domain(dexoptanalyzer) + +# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot +# app_data_file the oat file is symlinked to the original file in /system. +allow dexoptanalyzer dalvikcache_data_file:dir { getattr search }; +allow dexoptanalyzer dalvikcache_data_file:file r_file_perms; +allow dexoptanalyzer dalvikcache_data_file:lnk_file read; + +allow dexoptanalyzer installd:fd use; + +# Allow reading secondary dex files that were reported by the app to the +# package manager. +allow dexoptanalyzer app_data_file:dir { getattr search }; +allow dexoptanalyzer app_data_file:file r_file_perms; + +# Allow testing /data/user/0 which symlinks to /data/data +allow dexoptanalyzer system_data_file:lnk_file { getattr }; diff --git a/private/file_contexts b/private/file_contexts index ae910dea3..22a36693d 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -224,6 +224,7 @@ /system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0 /system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0 /system/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0 +/system/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0 # patchoat executable has (essentially) the same requirements as dex2oat. /system/bin/patchoat(d)? u:object_r:dex2oat_exec:s0 /system/bin/profman u:object_r:profman_exec:s0 diff --git a/private/installd.te b/private/installd.te index 9e6fc1e52..e18d8410a 100644 --- a/private/installd.te +++ b/private/installd.te @@ -5,6 +5,9 @@ init_daemon_domain(installd) # Run dex2oat in its own sandbox. domain_auto_trans(installd, dex2oat_exec, dex2oat) +# Run dexoptanalyzer in its own sandbox. +domain_auto_trans(installd, dexoptanalyzer_exec, dexoptanalyzer) + # Run profman in its own sandbox. domain_auto_trans(installd, profman_exec, profman) diff --git a/private/system_server.te b/private/system_server.te index 0e3566033..e5e4939de 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -13,3 +13,7 @@ type_transition system_server wpa_socket:sock_file system_wpa_socket; # TODO: deal with tmpfs_domain pub/priv split properly neverallow system_server system_server_tmpfs:file execute; + +# dexoptanalyzer is currently used only for secondary dex files which +# system_server should never access. +neverallow system_server dexoptanalyzer_exec:file no_x_file_perms; diff --git a/public/dex2oat.te b/public/dex2oat.te index d0de06498..be9877cf4 100644 --- a/public/dex2oat.te +++ b/public/dex2oat.te @@ -25,6 +25,10 @@ allow dex2oat oemfs:file read; allow dex2oat {apk_tmp_file ephemeral_apk_tmp_file}:file read; allow dex2oat user_profile_data_file:file { getattr read lock }; +# Allow dex2oat to compile app's secondary dex files which were reported back to +# the framework. +allow dex2oat app_data_file:file { getattr read write }; + ################## # A/B OTA Dexopt # ##################