# ART service daemon. typeattribute artd coredomain; typeattribute artd mlstrustedsubject; type artd_exec, system_file_type, exec_type, file_type; type artd_tmpfs, file_type; # Allow artd to publish a binder service and make binder calls. binder_use(artd) add_service(artd, artd_service) add_service(artd, artd_pre_reboot_service) allow artd dumpstate:fifo_file { getattr write }; allow artd dumpstate:fd use; init_daemon_domain(artd) # Allow query ART device config properties get_prop(artd, device_config_runtime_native_prop) get_prop(artd, device_config_runtime_native_boot_prop) # Access to "odsign.verification.success" for deciding whether to deny files in # the ART APEX data directory. get_prop(artd, odsign_prop) # Reading an APK opens a ZipArchive, which unpack to tmpfs. # Use tmpfs_domain() which will give tmpfs files created by artd their # own label, which differs from other labels created by other processes. # This allows to distinguish in policy files created by artd vs other # processes. tmpfs_domain(artd) # Allow testing userfaultfd support. userfaultfd_use(artd) # Read access to primary dex'es on writable partitions # ({/data,/mnt/expand/}/app/...). # Also allow creating the "oat" directory before restorecon. allow artd mnt_expand_file:dir { getattr search }; allow artd apk_data_file:dir { rw_dir_perms create setattr relabelfrom }; allow artd apk_data_file:file r_file_perms; # Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...). r_dir_file(artd, vendor_app_file) # Read access to vendor overlay APKs ({/vendor,/odm,/oem,/apex/*}/overlay/...). allow artd oemfs:dir { getattr search }; r_dir_file(artd, vendor_overlay_file) # Vendor overlay can be found in vendor apex allow artd vendor_apex_metadata_file:dir { getattr search }; # Read access to vendor shared libraries ({/vendor,/odm}/framework/...). r_dir_file(artd, vendor_framework_file) # Read/write access to all compilation artifacts generated on device for apps' # primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.) allow artd dalvikcache_data_file:dir { create_dir_perms relabelto }; allow artd dalvikcache_data_file:file { create_file_perms relabelto }; # Read access to the ART APEX data directory. # Needed for reading the boot image generated on device. allow artd apex_module_data_file:dir { getattr search }; r_dir_file(artd, apex_art_data_file) # Read access to /apex/apex-info-list.xml # Needed for getting APEX versions. allow artd apex_info_file:file r_file_perms; # Allow getting root capabilities to bypass permission checks. # - "dac_override" and "dac_read_search" are for # - reading secondary dex'es in app data directories (reading primary dex'es # doesn't need root capabilities) # - managing (CRUD) compilation artifacts in both APK directories for primary # dex'es and in app data directories for secondary dex'es # - managing (CRUD) profile files for both primary dex'es and secondary dex'es # - "fowner" is for adjusting the file permissions of compilation artifacts and # profile files based on whether they include user data or not. # - "chown" is for transferring the ownership of compilation artifacts and # profile files to the system or apps. allow artd self:global_capability_class_set { dac_override dac_read_search fowner chown }; # Read/write access to profiles (/data/misc/profiles/{ref,cur}/...). Also allow # scanning /data/misc/profiles/cur, for cleaning up obsolete managed files. allow artd user_profile_root_file:dir r_dir_perms; allow artd user_profile_data_file:dir rw_dir_perms; allow artd user_profile_data_file:file create_file_perms; # Read/write access to secondary dex files, their profiles, and their # compilation artifacts # ({/data,/mnt/expand/}/{user,user_de}///...). allow artd app_data_file_type:dir { create_dir_perms relabelfrom relabelto }; allow artd app_data_file_type:file { create_file_perms relabelfrom relabelto }; # Allow symlinks for secondary dex files. This has be to restricted because # symlinks can cause various security issues. We allow "privapp_data_file" just # for GMS because so far we only see GMS using symlinks. allow artd privapp_data_file:lnk_file { getattr read }; # Read access to SELinux context files, for restorecon. allow artd file_contexts_file:file r_file_perms; allow artd seapp_contexts_file:file r_file_perms; # Check validity of SELinux context, for restorecon. selinux_check_context(artd) # Allow scanning /, for cleaning up obsolete managed files. allow artd rootfs:dir r_dir_perms; # Allow scanning /data, for cleaning up obsolete managed files. allow artd system_data_root_file:dir r_dir_perms; # Allow scanning /mnt, for cleaning up obsolete managed files. allow artd tmpfs:dir r_dir_perms; # Allow scanning /mnt/expand, for cleaning up obsolete managed files. allow artd mnt_expand_file:dir r_dir_perms; # Allow scanning {/data,/mnt/expand/}/{user,user_de}, for cleaning # up obsolete managed files. allow artd system_userdir_file:dir r_dir_perms; # Allow scanning {/data,/mnt/expand/}/{user,user_de}/ and # /mnt/expand/, for cleaning up obsolete managed files. allow artd system_data_file:dir r_dir_perms; # Never allow running other binaries without a domain transition. # The only exception is art_exec. It is allowed to use the artd domain because # it is a thin wrapper that executes other binaries on behalf of artd. neverallow artd ~{art_exec_exec}:file execute_no_trans; allow artd art_exec_exec:file rx_file_perms; # Allow running other binaries in their own domains. domain_auto_trans(artd, profman_exec, profman) domain_auto_trans(artd, dex2oat_exec, dex2oat) # Allow sending sigkill to subprocesses. allow artd { profman dex2oat }:process sigkill; # Allow reading process info (/proc//...). # This is needed for getting CPU time and wall time spent on subprocesses. r_dir_file(artd, profman); r_dir_file(artd, dex2oat); # Allow artd to reopen its own memfd. # artd needs to reopen a memfd with readonly in order to pass it to subprocesses # that don't have write permissions on memfds. allow artd artd_tmpfs:file open;