platform_system_sepolicy/private/postinstall_dexopt.te
Andreas Gampe 6d5baca452 Sepolicy: Move dex2oat and postinstall_dexopt to private
In preparation for additions that should be private-only, move the
types to private. Both have to be moved as they are dependent.

Bug: 125474642
Test: m
Change-Id: I6a76eba41b036bc6fb83588adbe9d63767d3e159
2019-02-26 13:13:45 -08:00

64 lines
2.8 KiB
Text

# Domain for the otapreopt executable, running under postinstall_dexopt
#
# Note: otapreopt is a driver for dex2oat, and reuses parts of installd. As such,
# this is derived and adapted from installd.te.
type postinstall_dexopt, domain, coredomain;
# Run dex2oat/patchoat in its own sandbox.
# We have to manually transition, as we don't have an entrypoint.
domain_auto_trans(postinstall_dexopt, dex2oat_exec, dex2oat)
allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
allow postinstall_dexopt postinstall_file:filesystem getattr;
allow postinstall_dexopt postinstall_file:dir { getattr read search };
allow postinstall_dexopt postinstall_file:lnk_file { getattr read };
allow postinstall_dexopt proc_filesystems:file { getattr open read };
allow postinstall_dexopt tmpfs:file read;
# Allow access to /postinstall/apex.
allow postinstall_dexopt postinstall_apex_mnt_dir:dir { getattr search };
# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
# here and having to relabel the directory.
# Read app data (APKs) as input to dex2oat.
r_dir_file(postinstall_dexopt, apk_data_file)
# Read vendor app data (APKs) as input to dex2oat.
r_dir_file(postinstall_dexopt, vendor_app_file)
# Access to app oat directory.
r_dir_file(postinstall_dexopt, dalvikcache_data_file)
# Read profile data.
allow postinstall_dexopt user_profile_data_file:dir { getattr search };
allow postinstall_dexopt user_profile_data_file:file r_file_perms;
# Suppress deletion denial (we do not want to update the profile).
dontaudit postinstall_dexopt user_profile_data_file:file { write };
# Write to /data/ota(/*). Create symlinks in /data/ota(/*)
allow postinstall_dexopt ota_data_file:dir create_dir_perms;
allow postinstall_dexopt ota_data_file:file create_file_perms;
allow postinstall_dexopt ota_data_file:lnk_file create_file_perms;
# Need to write .b files, which are dalvikcache_data_file, not ota_data_file.
# TODO: See whether we can apply ota_data_file?
allow postinstall_dexopt dalvikcache_data_file:dir rw_dir_perms;
allow postinstall_dexopt dalvikcache_data_file:file create_file_perms;
# Allow labeling of files under /data/app/com.example/oat/
# TODO: Restrict to .b suffix?
allow postinstall_dexopt dalvikcache_data_file:dir relabelto;
allow postinstall_dexopt dalvikcache_data_file:file { relabelto link };
# Check validity of SELinux context before use.
selinux_check_context(postinstall_dexopt)
selinux_check_access(postinstall_dexopt)
# Postinstall wants to know about our child.
allow postinstall_dexopt postinstall:process sigchld;
# Allow otapreopt to use file descriptors from otapreopt_chroot.
# TODO: Probably we can actually close file descriptors...
allow postinstall_dexopt otapreopt_chroot:fd use;