cc39f63773
Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
54 lines
1.9 KiB
Text
54 lines
1.9 KiB
Text
# dex2oat
|
|
type dex2oat, domain, domain_deprecated;
|
|
type dex2oat_exec, exec_type, file_type;
|
|
|
|
r_dir_file(dex2oat, apk_data_file)
|
|
|
|
allow dex2oat tmpfs:file { read getattr };
|
|
|
|
# allow access to the interpreter
|
|
allow dex2oat libart_file:file { execute read open getattr };
|
|
|
|
r_dir_file(dex2oat, dalvikcache_data_file)
|
|
allow dex2oat dalvikcache_data_file:file write;
|
|
# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where
|
|
# the oat file is symlinked to the original file in /system.
|
|
allow dex2oat dalvikcache_data_file:lnk_file read;
|
|
allow dex2oat installd:fd use;
|
|
|
|
# Read already open asec_apk_file file descriptors passed by installd.
|
|
# Also allow reading unlabeled files, to allow for upgrading forward
|
|
# locked APKs.
|
|
allow dex2oat asec_apk_file:file read;
|
|
allow dex2oat unlabeled:file read;
|
|
allow dex2oat oemfs:file read;
|
|
allow dex2oat apk_tmp_file:file read;
|
|
allow dex2oat user_profile_data_file:file { getattr read lock };
|
|
|
|
##################
|
|
# A/B OTA Dexopt #
|
|
##################
|
|
|
|
# Allow dex2oat to use file descriptors from otapreopt.
|
|
allow dex2oat postinstall_dexopt:fd use;
|
|
|
|
allow dex2oat postinstall_file:dir { getattr search };
|
|
|
|
# Allow dex2oat access to files in /data/ota.
|
|
allow dex2oat ota_data_file:dir ra_dir_perms;
|
|
allow dex2oat ota_data_file:file r_file_perms;
|
|
|
|
# Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images,
|
|
# where the oat file is symlinked to the original file in /system.
|
|
allow dex2oat ota_data_file:lnk_file { create read };
|
|
|
|
# It would be nice to tie this down, but currently, because of how images are written, we can't
|
|
# pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to
|
|
# create them itself (and make them world-readable).
|
|
allow dex2oat ota_data_file:file { create w_file_perms setattr };
|
|
|
|
##############
|
|
# Neverallow #
|
|
##############
|
|
|
|
neverallow dex2oat app_data_file:notdevfile_class_set open;
|