Update SELinux policy for app compilation CUJ.

- Adapt installd rules for app compilation. - Add profman rules for checking the profile before compilation. This is new behavior compared to installd. Bug: 229268202 Test: - 1. adb shell pm art optimize-package -m speed-profile -f \ com.google.android.youtube 2. See no SELinux denial. Change-Id: Idfe1ccdb1b27fd275fdf912bc8d005551f89d4fc
2022-07-19 21:29:31 +01:00 · 2022-07-19 21:29:31 +01:00 · c871c1cc75
commit c871c1cc75
parent 355ecc995e
11 changed files with 50 additions and 12 deletions
--- a/apex/com.android.art-file_contexts
+++ b/apex/com.android.art-file_contexts
@ -2,6 +2,7 @@
 # System files
 #
 (/.*)?                   u:object_r:system_file:s0
+/bin/art_exec            u:object_r:art_exec_exec:s0
 /bin/artd                u:object_r:artd_exec:s0
 /bin/dex2oat(32|64)?     u:object_r:dex2oat_exec:s0
 /bin/dexoptanalyzer      u:object_r:dexoptanalyzer_exec:s0
--- a/apex/com.android.art.debug-file_contexts
+++ b/apex/com.android.art.debug-file_contexts
@ -2,6 +2,7 @@
 # System files
 #
 (/.*)?                         u:object_r:system_file:s0
+/bin/art_exec                  u:object_r:art_exec_exec:s0
 /bin/dex2oat(d)?(32|64)?       u:object_r:dex2oat_exec:s0
 /bin/dexoptanalyzer(d)?        u:object_r:dexoptanalyzer_exec:s0
 /bin/odrefresh                 u:object_r:odrefresh_exec:s0
--- a/private/artd.te
+++ b/private/artd.te
@ -1,5 +1,5 @@
-# art service daemon
-type artd, domain, coredomain;
+# ART service daemon.
+typeattribute artd coredomain;
 type artd_exec, system_file_type, exec_type, file_type;
 type artd_tmpfs, file_type;

@ -57,4 +57,23 @@ allow artd apex_info_file:file r_file_perms;
 #   - managing (CRUD) profile files for both primary dex'es and secondary dex'es
 # - "fowner" is for adjusting the file permissions of compilation artifacts and
 #   profile files based on whether they include user data or not.
-allow artd self:global_capability_class_set { dac_override dac_read_search fowner };
+# - "chown" is for transferring the ownership of compilation artifacts and
+#   profile files to the system or apps.
+allow artd self:global_capability_class_set { dac_override dac_read_search fowner chown };
+
+# Read/write access to profiles (/data/misc/profiles/{ref,cur}/...).
+allow artd user_profile_data_file:dir { getattr search };
+allow artd user_profile_data_file:file create_file_perms;
+
+# Never allow running other binaries without a domain transition.
+# The only exception is art_exec. It is allowed to use the artd domain because
+# it is a thin wrapper that executes other binaries on behalf of artd.
+neverallow artd ~{art_exec_exec}:file execute_no_trans;
+allow artd art_exec_exec:file rx_file_perms;
+
+# Allow running other binaries in their own domains.
+domain_auto_trans(artd, profman_exec, profman)
+domain_auto_trans(artd, dex2oat_exec, dex2oat)
+
+# Allow sending sigkill to subprocesses.
+allow artd { profman dex2oat }:process sigkill;
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@ -5,6 +5,7 @@
 (typeattribute new_objects)
 (typeattributeset new_objects
  ( new_objects
+    artd
    device_config_memory_safety_native_prop
    device_config_vendor_system_native_prop
    hal_bootctl_service
--- a/private/coredomain.te
+++ b/private/coredomain.te
@ -77,6 +77,7 @@ full_treble_only(`
        -heapprofd
        userdebug_or_eng(`-profcollectd')
        -postinstall_dexopt
+        -profman
        -rs # spawned by appdomain, so carryover the exception above
        userdebug_or_eng(`-simpleperf_boot')
        -system_server
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@ -15,7 +15,6 @@ allow dex2oat tmpfs:file { read getattr map };

 r_dir_file(dex2oat, dalvikcache_data_file)
 allow dex2oat dalvikcache_data_file:file write;
-allow dex2oat installd:fd use;

 # Acquire advisory lock on /system/framework/arm/*
 allow dex2oat system_file:file lock;
@ -38,12 +37,8 @@ allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock
 # Allow dex2oat to find files and directories under /data/misc/apexdata/com.android.runtime.
 allow dex2oat apex_module_data_file:dir search;

-# Allow dex2oat to use file descriptors passed from odrefresh.
-allow dex2oat odrefresh:fd use;
-
-# Allow dex2oat to use devpts and file descriptors passed from odsign
+# Allow dex2oat to use devpts passed from odsign.
 allow dex2oat odsign_devpts:chr_file { read write };
-allow dex2oat odsign:fd use;

 # Allow dex2oat to write to file descriptors from odrefresh for files
 # in the staging area.
@ -61,6 +56,9 @@ get_prop(dex2oat, device_config_runtime_native_boot_prop)
 # Allow dex2oat to read /apex/apex-info-list.xml
 allow dex2oat apex_info_file:file r_file_perms;

+# Allow dex2oat to use file descriptors passed from privileged programs.
+allow dex2oat { artd installd odrefresh odsign }:fd use;
+
 ##################
 # A/B OTA Dexopt #
 ##################
--- a/private/file.te
+++ b/private/file.te
@ -115,3 +115,8 @@ type sepolicy_metadata_file, file_type;
 # /dev/selinux/test - used to verify that apex sepolicy is loaded and
 # property labeled.
 type sepolicy_test_file, file_type;
+
+# /apex/com.android.art/bin/art_exec
+# This executable does not have its own domain because it is executed in the caller's domain. For
+# example, it is executed in the `artd` domain when artd calls it.
+type art_exec_exec, system_file_type, exec_type, file_type;
--- a/private/profman.te
+++ b/private/profman.te
@ -1 +1,12 @@
 typeattribute profman coredomain;
+
+# Allow profman to read APKs and profile files next to them by FDs passed from
+# other programs. In addition, allow profman to acquire flocks on those files.
+allow profman {
+  system_file
+  apk_data_file
+  vendor_app_file
+}:file { getattr read map lock };
+
+# Allow profman to use file descriptors passed from privileged programs.
+allow profman { artd installd }:fd use;
--- a/public/artd.te
+++ b/public/artd.te
@ -0,0 +1,2 @@
+# ART service daemon.
+type artd, domain;
--- a/public/domain.te
+++ b/public/domain.te
@ -1230,11 +1230,12 @@ neverallow domain debugfs_type:file { execute execute_no_trans };
 neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms;

 # Profiles contain untrusted data and profman parses that. We should only run
-# in from installd forked processes.
+# it from installd and artd forked processes.
 neverallow {
  domain
  -installd
  -profman
+  -artd
 } profman_exec:file no_x_file_perms;

 # Enforce restrictions on kernel module origin.
--- a/public/profman.te
+++ b/public/profman.te
@ -14,8 +14,6 @@ allow profman oemfs:file { read map };
 allow profman tmpfs:file { read map };
 allow profman profman_dump_data_file:file { write map };

-allow profman installd:fd use;
-
 # Allow profman to analyze profiles for the secondary dex files. These
 # are application dex files reported back to the framework when using
 # BaseDexClassLoader.