e5a1f64a2e
This CLs adds SElinux policies necessary to compile secondary dex files.
When an app loads secondary dex files via the base class loader the
files will get reported to PM. During maintance mode PM will compile the
secondary dex files which were used via the standard installd model
(fork, exec, change uid and lower capabilities).
What is needed:
dexoptanalyzer - needs to read the dex file and the boot image in order
to decide if we need to actually comppile.
dex2oat - needs to be able to create *.oat files next to the secondary
dex files.
Test: devices boots
compilation of secondary dex files works without selinux denials
cmd package compile --secondary-dex -f -m speed
com.google.android.gms
Bug: 32871170
Change-Id: I038955b5bc9a72d49f6c24c1cb76276e0f53dc45
58 lines
2.1 KiB
Text
58 lines
2.1 KiB
Text
# dex2oat
|
|
type dex2oat, domain, domain_deprecated;
|
|
type dex2oat_exec, exec_type, file_type;
|
|
|
|
r_dir_file(dex2oat, {apk_data_file ephemeral_apk_data_file})
|
|
|
|
allow dex2oat tmpfs:file { read getattr };
|
|
|
|
# allow access to the interpreter
|
|
allow dex2oat libart_file:file { execute read open getattr };
|
|
|
|
r_dir_file(dex2oat, dalvikcache_data_file)
|
|
allow dex2oat dalvikcache_data_file:file write;
|
|
# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where
|
|
# the oat file is symlinked to the original file in /system.
|
|
allow dex2oat dalvikcache_data_file:lnk_file read;
|
|
allow dex2oat installd:fd use;
|
|
|
|
# Read already open asec_apk_file file descriptors passed by installd.
|
|
# Also allow reading unlabeled files, to allow for upgrading forward
|
|
# locked APKs.
|
|
allow dex2oat asec_apk_file:file read;
|
|
allow dex2oat unlabeled:file read;
|
|
allow dex2oat oemfs:file read;
|
|
allow dex2oat {apk_tmp_file ephemeral_apk_tmp_file}:file read;
|
|
allow dex2oat user_profile_data_file:file { getattr read lock };
|
|
|
|
# Allow dex2oat to compile app's secondary dex files which were reported back to
|
|
# the framework.
|
|
allow dex2oat app_data_file:file { getattr read write };
|
|
|
|
##################
|
|
# A/B OTA Dexopt #
|
|
##################
|
|
|
|
# Allow dex2oat to use file descriptors from otapreopt.
|
|
allow dex2oat postinstall_dexopt:fd use;
|
|
|
|
allow dex2oat postinstall_file:dir { getattr search };
|
|
|
|
# Allow dex2oat access to files in /data/ota.
|
|
allow dex2oat ota_data_file:dir ra_dir_perms;
|
|
allow dex2oat ota_data_file:file r_file_perms;
|
|
|
|
# Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images,
|
|
# where the oat file is symlinked to the original file in /system.
|
|
allow dex2oat ota_data_file:lnk_file { create read };
|
|
|
|
# It would be nice to tie this down, but currently, because of how images are written, we can't
|
|
# pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to
|
|
# create them itself (and make them world-readable).
|
|
allow dex2oat ota_data_file:file { create w_file_perms setattr };
|
|
|
|
##############
|
|
# Neverallow #
|
|
##############
|
|
|
|
neverallow dex2oat app_data_file:notdevfile_class_set open;
|