tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/dexoptanalyzer.te
Calin Juravle de7244cf23 Fix sepolicy for secondary dex files 
dexoptanalyzer need read access on the secondary
dex files and of the main apk files in order to successfully evaluate
and optimize them.

Example of denial:
audit(0.0:30): avc: denied { read } for
path="/data/app/~~Zux_isdY0NBkRWPp01oAVg==/com.example.secondaryrepro-wH9zezMSCzIjcKdIMtrw7A==/base.apk"
dev="vdc" ino=40966 scontext=u:r:dexoptanalyzer:s0
tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0
app=com.example.secondaryrepro

Test: adb shell cmd package compile -r bg-dexopt --secondary-dex app
Bug: 160471235
Bug: 160351055
Change-Id: Id0bda5237d3ce1620d4f6ee89595836b4e1f3abf
2020-07-15 16:43:40 +00:00

39 lines
1.8 KiB
Text
Raw Blame History

# dexoptanalyzer
type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
type dexoptanalyzer_tmpfs, file_type;
r_dir_file(dexoptanalyzer, apk_data_file)
# Access to /vendor/app
r_dir_file(dexoptanalyzer, vendor_app_file)
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
# own label, which differs from other labels created by other processes.
# This allows to distinguish in policy files created by dexoptanalyzer vs other
#processes.
tmpfs_domain(dexoptanalyzer)
# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
# app_data_file the oat file is symlinked to the original file in /system.
allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
allow dexoptanalyzer dalvikcache_data_file:file r_file_perms;
allow dexoptanalyzer dalvikcache_data_file:lnk_file read;
allow dexoptanalyzer installd:fd use;
allow dexoptanalyzer installd:fifo_file { getattr write };
# Acquire advisory lock on /system/framework/arm/*
allow dexoptanalyzer system_file:file lock;
# Allow reading secondary dex files that were reported by the app to the
# package manager.
allow dexoptanalyzer { privapp_data_file app_data_file }:dir { getattr search };
allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map };
# dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
# "dontaudit...audit_access" policy line to suppress the audit access without
# suppressing denial on actual access.
dontaudit dexoptanalyzer { privapp_data_file app_data_file }:dir audit_access;
# Allow testing /data/user/0 which symlinks to /data/data
allow dexoptanalyzer system_data_file:lnk_file { getattr };
Reference in a new issue View git blame Copy permalink