- Add pm.dexopt.* properties.
- Add rules for running artd in chroot.
Bug: 311377497
Test: manual - Run Pre-reboot Dexopt and see no denial.
Change-Id: If5ff9b23e99be033f19ab257c90e0f52bf250ccf
Bug: 311377497
Test: manual - Call
getDexoptChrootSetupServiceRegisterer().waitForService()
Test: manual - Set up a chroot environment and call
getArtdPreRebootServiceRegisterer().waitForService()
Change-Id: I50b5f7f858dab37f05174cb9787f64303d50d083
The artd daemon is not always active. When running, it exposes a binder
service which may be dumped when a bug report is triggered. The current
policy did not fully grant access which resulted in spurious denials if
a bugreport was triggered when the daemon was running.
Test: Run bugreport; observe correct dump of artd service
Bug: 282614147
Bug: 192197221
Change-Id: Ie0986d7716de33ec38ae09cfee14c629f5a414a6
Path to vendor overlays should be accessible to those processes with
access to vendor_overlay_file. This is okay when overlays are under
/vendor/overlay because vendor_file:dir is accessible from all domains.
However, when a vendor overlay file is served from a vendor apex, then
the mount point of the apex should be allowed explicitly for 'getattr'
and 'search'.
Bug: 285075529
Test: presubmit tests
Change-Id: I393abc76ab7169b65fdee5aefd6da5ed1c6b8586
Bug: 262230400
Test: -
1. Remove the "oat" directory of an app.
2. Dexopt the app using ART Service.
3. See no SELinux denials.
Change-Id: I717073b0172083d73a1b84e5c2bea59076663b2f
Otherwise, we will encounter SELinux denials like:
W binder:6200_7: type=1400 audit(0.0:327): avc: denied { read } for name="PrebuiltGmsCoreNext_DynamiteLoader.apk" dev="dm-51" ino=2576 scontext=u:r:artd:s0 tcontext=u:object_r:privapp_data_file:s0:c512,c768 tclass=lnk_file permissive=0
Bug: 262230400
Test: No longer see such SELinux denials.
Change-Id: Iccb97b1973f8efbe859b59e729f7a0194d05ba5e
Otherwise, we will get SELinux denials like:
W binder:6098_5: type=1400 audit(0.0:138): avc: denied { search } for name="framework" dev="dm-6" ino=478 scontext=u:r:artd:s0 tcontext=u:object_r:vendor_framework_file:s0 tclass=dir permissive=0
Bug: 262230400
Test: No longer see such SELinux denials.
Change-Id: Ic31fdabb16341c51466531c88ca040698331b248
Secondary dex files are in app data directories. In order to perform
secondary dex compilation, artd needs permissions to:
- Read secondary dex files
- Create "oat" dir
- Create a reference profile in "oat" dir
- Rename the reference profile
- Delete the reference profile
- Read the current profile in "oat" dir
- Delete the current profile
- Create compilation artifacts in "oat" dir
- Rename compilation artifacts
- Delete compilation artifacts
Bug: 249984283
Test: -
1. adb shell pm art optimize-package --secondary-dex -m speed-profile -f com.google.android.gms
2. See no SELinux denial.
Change-Id: I19a0ea7895a54c67959b22085de27d1d0ccc1efc
The permissions are needed for profile-guided compilation: when ART
Services compiles an app, it uses the information in current profiles as
one factor to determine which classes and methods to compile.
Since there can be multiple current profiles, in practice, it merges
the current profiles into a "reference profile" and passes that to the
compiler. After the compilation is done successfully, it keeps the
reference profile and deletes current profiles.
This is currently done by installd
(http://cs/android-internal/system/sepolicy/public/installd.te;l=125;rcl=0cbe233cdc361b0976874b2df04392d74245aade),
and we'd like artd to do it.
In addition, we want to make artd work in a more atomic way: If a
reference profile already exists, instead of mutating it in place,
artd creates a temp file next to it, works on the temp file, and
replaces the original file after it's done (or deletes the temp file
if it fails).
Therefore, artd needs the permissions to read current profile files.
It also needs to be mlstrustedsubject because current profile files
seem to have MLS restrictions.
Otherwise, it will get SELinux denials like:
```
09-23 20:22:13.931 8097 8097 I binder:8097_2: type=1400 audit(0.0:164): avc: denied { search } for name="cur" dev="dm-53" ino=81 scontext=u:r:artd:s0 tcontext=u:object_r:user_profile_root_file:s0 tclass=dir permissive=1
09-23 20:22:13.931 8097 8097 I binder:8097_2: type=1400 audit(0.0:164): avc: denied { search } for name="0" dev="dm-53" ino=207 scontext=u:r:artd:s0 tcontext=u:object_r:user_profile_root_file:s0:c512,c768 tclass=dir permissive=1
```
Note the MLS restrictions `c512,c768` in the message above.
Bug: 248318911
Test: manual -
1. adb shell pm art optimize-package -m speed-profile \
com.google.android.youtube
2. See no SELinux denials like above.
Change-Id: I1cb8c3ac07d3790a4d74d747707327b1d5d8ecfb
The permissions are needed for profile-guided compilation: when ART
Services compiles an app, it uses the information in current profiles as
one factor to determine which classes and methods to compile.
Since there can be multiple current profiles, in practice, it merges
the current profiles into a "reference profile" and passes that to the
compiler. After the compilation is done successfully, it keeps the
reference profile and deletes current profiles.
This is currently done by installd
(http://cs/android-internal/system/sepolicy/public/installd.te;l=125;rcl=0cbe233cdc361b0976874b2df04392d74245aade),
and we'd like artd to do it.
In addition, we want to make artd work in a more atomic way: If a
reference profile already exists, instead of mutating it in place,
artd creates a temp file next to it, works on the temp file, and
replaces the original file after it's done (or deletes the temp file
if it fails).
Therefore, artd needs the permissions to add/delete/replace profile
files. Otherwise, it will get SELinux denials like:
```
09-23 19:51:37.951 5050 5050 I binder:5050_1: type=1400 audit(0.0:134): avc: denied { write } for name="com.google.android.youtube" dev="dm-52" ino=922 scontext=u:r:artd:s0 tcontext=u:object_r:user_profile_data_file:s0 tclass=dir permissive=1
09-23 19:51:37.951 5050 5050 I binder:5050_1: type=1400 audit(0.0:134): avc: denied { add_name } for name="primary.prof.6mOsV9.tmp" scontext=u:r:artd:s0 tcontext=u:object_r:user_profile_data_file:s0 tclass=dir permissive=1
```
Bug: 248318911
Test: manual -
1. adb shell pm art optimize-package -m speed-profile \
com.google.android.youtube
2. See no SELinux denials like above.
Change-Id: Ib1a914b9a9526a85b69d27970e4b23c4e101c68a
This is needed for getting CPU time and wall time spent on subprocesses. Otherwise, the following denials will occur:
09-09 15:11:38.635 6137 6137 I binder:6137_1: type=1400 audit(0.0:185): avc: denied { read } for scontext=u:r:artd:s0 tcontext=u:r:dex2oat:s0 tclass=file permissive=1
09-09 15:11:38.635 6137 6137 I binder:6137_1: type=1400 audit(0.0:185): avc: denied { search } for name="6157" dev="proc" ino=57917 scontext=u:r:artd:s0 tcontext=u:r:dex2oat:s0 tclass=dir permissive=1
09-09 15:11:38.635 6137 6137 I binder:6137_1: type=1400 audit(0.0:185): avc: denied { open } for path="/proc/6157/stat" dev="proc" ino=57954 scontext=u:r:artd:s0 tcontext=u:r:dex2oat:s0 tclass=file permissive=1
Bug: 245380798
Test: -
1. adb shell pm art optimize-package -m speed -f \
com.google.android.youtube
2. See CPU time and wall time in the output. No denial occured.
Change-Id: I9c8c98a31e1ac0c9431a721938c7a9c5c3ddc42b
- Adapt installd rules for app compilation.
- Add profman rules for checking the profile before compilation. This is new behavior compared to installd.
Bug: 229268202
Test: -
1. adb shell pm art optimize-package -m speed-profile -f \
com.google.android.youtube
2. See no SELinux denial.
Change-Id: Idfe1ccdb1b27fd275fdf912bc8d005551f89d4fc
This CL adds rules to allow artd to delete optimized artifacts.
In general, some functionalities from installd are being migrated to
artd, so artd needs permissions to do what installd is doing: managing
profiles and compilation artifacts that belong to individual apps.
Bug: 225827974
Test: adb shell pm art delete-optimized-artifacts com.google.android.youtube
Change-Id: I1780cdfb481175fd3b0bc9031fdabb8e7cd71a12
ART is becoming a module and we need to be able to add new properties
without modifying the non updatable part of the platform:
- convert ART properties to use prefix in the namespace of
[ro].dalvik.vm.
- enable appdomain and coredomain to read device_config properties
that configure ART
Test: boot
Bug: 181748174
Change-Id: Id23ff78474dba947301e1b6243a112b0f5b4a832
