88e5583eac
This is needed for getting CPU time and wall time spent on subprocesses. Otherwise, the following denials will occur: 09-09 15:11:38.635 6137 6137 I binder:6137_1: type=1400 audit(0.0:185): avc: denied { read } for scontext=u:r:artd:s0 tcontext=u:r:dex2oat:s0 tclass=file permissive=1 09-09 15:11:38.635 6137 6137 I binder:6137_1: type=1400 audit(0.0:185): avc: denied { search } for name="6157" dev="proc" ino=57917 scontext=u:r:artd:s0 tcontext=u:r:dex2oat:s0 tclass=dir permissive=1 09-09 15:11:38.635 6137 6137 I binder:6137_1: type=1400 audit(0.0:185): avc: denied { open } for path="/proc/6157/stat" dev="proc" ino=57954 scontext=u:r:artd:s0 tcontext=u:r:dex2oat:s0 tclass=file permissive=1 Bug: 245380798 Test: - 1. adb shell pm art optimize-package -m speed -f \ com.google.android.youtube 2. See CPU time and wall time in the output. No denial occured. Change-Id: I9c8c98a31e1ac0c9431a721938c7a9c5c3ddc42b
84 lines
3.4 KiB
Text
84 lines
3.4 KiB
Text
# ART service daemon.
|
|
typeattribute artd coredomain;
|
|
type artd_exec, system_file_type, exec_type, file_type;
|
|
type artd_tmpfs, file_type;
|
|
|
|
# Allow artd to publish a binder service and make binder calls.
|
|
binder_use(artd)
|
|
add_service(artd, artd_service)
|
|
allow artd dumpstate:fifo_file { getattr write };
|
|
|
|
init_daemon_domain(artd)
|
|
|
|
# Allow query ART device config properties
|
|
get_prop(artd, device_config_runtime_native_prop)
|
|
get_prop(artd, device_config_runtime_native_boot_prop)
|
|
|
|
# Access to "odsign.verification.success" for deciding whether to deny files in
|
|
# the ART APEX data directory.
|
|
get_prop(artd, odsign_prop)
|
|
|
|
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
|
|
# Use tmpfs_domain() which will give tmpfs files created by artd their
|
|
# own label, which differs from other labels created by other processes.
|
|
# This allows to distinguish in policy files created by artd vs other
|
|
# processes.
|
|
tmpfs_domain(artd)
|
|
|
|
# Allow testing userfaultfd support.
|
|
userfaultfd_use(artd)
|
|
|
|
# Read access to primary dex'es on writable partitions (e.g., /data/app/...).
|
|
r_dir_file(artd, apk_data_file)
|
|
|
|
# Read access to /vendor/app.
|
|
r_dir_file(artd, vendor_app_file)
|
|
|
|
# Read/write access to all compilation artifacts generated on device for apps'
|
|
# primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
|
|
allow artd dalvikcache_data_file:dir create_dir_perms;
|
|
allow artd dalvikcache_data_file:file create_file_perms;
|
|
|
|
# Read access to the ART APEX data directory.
|
|
# Needed for reading the boot image generated on device.
|
|
allow artd apex_module_data_file:dir { getattr search };
|
|
r_dir_file(artd, apex_art_data_file)
|
|
|
|
# Read access to /apex/apex-info-list.xml
|
|
# Needed for getting APEX versions.
|
|
allow artd apex_info_file:file r_file_perms;
|
|
|
|
# Allow getting root capabilities to bypass permission checks.
|
|
# - "dac_override" and "dac_read_search" are for
|
|
# - reading secondary dex'es in app data directories (reading primary dex'es
|
|
# doesn't need root capabilities)
|
|
# - managing (CRUD) compilation artifacts in both APK directories for primary
|
|
# dex'es and in app data directories for secondary dex'es
|
|
# - managing (CRUD) profile files for both primary dex'es and secondary dex'es
|
|
# - "fowner" is for adjusting the file permissions of compilation artifacts and
|
|
# profile files based on whether they include user data or not.
|
|
# - "chown" is for transferring the ownership of compilation artifacts and
|
|
# profile files to the system or apps.
|
|
allow artd self:global_capability_class_set { dac_override dac_read_search fowner chown };
|
|
|
|
# Read/write access to profiles (/data/misc/profiles/{ref,cur}/...).
|
|
allow artd user_profile_data_file:dir { getattr search };
|
|
allow artd user_profile_data_file:file create_file_perms;
|
|
|
|
# Never allow running other binaries without a domain transition.
|
|
# The only exception is art_exec. It is allowed to use the artd domain because
|
|
# it is a thin wrapper that executes other binaries on behalf of artd.
|
|
neverallow artd ~{art_exec_exec}:file execute_no_trans;
|
|
allow artd art_exec_exec:file rx_file_perms;
|
|
|
|
# Allow running other binaries in their own domains.
|
|
domain_auto_trans(artd, profman_exec, profman)
|
|
domain_auto_trans(artd, dex2oat_exec, dex2oat)
|
|
|
|
# Allow sending sigkill to subprocesses.
|
|
allow artd { profman dex2oat }:process sigkill;
|
|
|
|
# Allow reading process info (/proc/<pid>/...).
|
|
# This is needed for getting CPU time and wall time spent on subprocesses.
|
|
r_dir_file(artd, profman);
|
|
r_dir_file(artd, dex2oat);
|