From f41d4d72de0b1f63476269febc6d67e4686459a5 Mon Sep 17 00:00:00 2001 From: Alan Stokes Date: Tue, 22 Sep 2020 15:43:17 +0100 Subject: [PATCH] Remove app_data_file:dir access from dexoptanalyzer. It only accesses already-open file handles since b/67111829, so has no need for any access to the directories, not even search access. Fixes: 161960094 Bug: 141677108 Test: boot, install app Test: cmd package force-dex-opt Test: cmd package bg-dexopt-job Test: No denials seen. Change-Id: I23dca1f038351be759dd16dff18d16d158604c3c --- private/dexoptanalyzer.te | 7 +------ private/mlstrustedsubject.te | 2 -- 2 files changed, 1 insertion(+), 8 deletions(-) diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te index a2b2b018d..b8b7b306f 100644 --- a/private/dexoptanalyzer.te +++ b/private/dexoptanalyzer.te @@ -11,7 +11,7 @@ r_dir_file(dexoptanalyzer, vendor_app_file) # Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their # own label, which differs from other labels created by other processes. # This allows to distinguish in policy files created by dexoptanalyzer vs other -#processes. +# processes. tmpfs_domain(dexoptanalyzer) # Read symlinks in /data/dalvik-cache. This is required for PIC mode boot @@ -28,12 +28,7 @@ allow dexoptanalyzer system_file:file lock; # Allow reading secondary dex files that were reported by the app to the # package manager. -allow dexoptanalyzer { privapp_data_file app_data_file }:dir { getattr search }; allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map }; -# dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the -# "dontaudit...audit_access" policy line to suppress the audit access without -# suppressing denial on actual access. -dontaudit dexoptanalyzer { privapp_data_file app_data_file }:dir audit_access; # Allow testing /data/user/0 which symlinks to /data/data allow dexoptanalyzer system_data_file:lnk_file { getattr }; diff --git a/private/mlstrustedsubject.te b/private/mlstrustedsubject.te index b803dbcad..22482d9b7 100644 --- a/private/mlstrustedsubject.te +++ b/private/mlstrustedsubject.te @@ -18,7 +18,6 @@ neverallow { -iorap_inode2filename } { app_data_file privapp_data_file }:dir ~{ read getattr search }; -# TODO(b/141677108): See if we can remove any of these. neverallow { mlstrustedsubject -installd @@ -27,6 +26,5 @@ neverallow { -system_server -adbd -runas - -dexoptanalyzer -zygote } { app_data_file privapp_data_file }:dir { read getattr search };