platform_system_sepolicy/public/profman.te
Calin Juravle ebcec9b8bb Allow profman to analyze profiles for the secondary dex files
The secondary dex files are application dex files which gets reported
back to the framework when using BaseDexClassLoader.

Also, give dex2oat lock permissions as it needs to lock the profile
during compilation.

Example of SElinux denial:
03-15 12:38:46.967  7529  7529 I profman : type=1400 audit(0.0:225):
avc: denied { read } for
path="/data/data/com.google.android.googlequicksearchbox/files/velour/verified_jars/JDM5LaUbYP1JPOLzJ81GLzg_1.jar.prof"
dev="sda35" ino=877915 scontext=u:r:profman:s0
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=1

Test: adb shell cmd package bg-dexopt-job works for sercondary dex files
Bug: 26719109
Change-Id: Ie1890d8e36c062450bd6c54f4399fc0730767dbf
2017-03-15 18:47:13 -07:00

26 lines
839 B
Text

# profman
type profman, domain;
type profman_exec, exec_type, file_type;
allow profman user_profile_data_file:file { getattr read write lock };
# Dumping profile info opens the application APK file for pretty printing.
allow profman asec_apk_file:file { read };
allow profman apk_data_file:file { read };
allow profman oemfs:file { read };
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
allow profman tmpfs:file { read };
allow profman profman_dump_data_file:file { write };
allow profman installd:fd use;
# Allow profman to analyze profiles for the secondary dex files. These
# are application dex files reported back to the framework when using
# BaseDexClassLoader.
allow profman app_data_file:file { getattr read write lock };
###
### neverallow rules
###
neverallow profman app_data_file:notdevfile_class_set open;