329cbf4d4e
The denial occurs when system_server dynamically loads AOT artifacts at
runtime.
Sample message:
type=1400 audit(0.0:4): avc: denied { execute } for comm="system_server" path="/data/misc/apexdata/com.android.art/dalvik-cache/arm64/system@framework@com.android.location.provider.jar@classes.odex" dev="dm-37" ino=296 scontext=u:r:system_server:s0 tcontext=u:object_r:apex_art_data_file:s0 tclass=file permissive=0
Currently, system_server is only allowed to load AOT artifacts at startup. odrefresh compiles jars in SYSTEMSERVERCLASSPATH, which are supposed to be loaded by system_server at startup. However, com.android.location.provider is a special case that is not only loaded at startup, but also loaded dynamically as a shared library, causing the denial.
Therefore, this denial is currently expected. We need to compile com.android.location.provider so that its AOT artifacts can be picked up at system_server startup, but we cannot allow the artifacts to be loaded dynamically for now because further discussion about its security implications is needed. We will find a long term solution to this, tracked by b/194054685.
Test: Presubmits
Bug: 194054685
Change-Id: I3850ae022840bfe18633ed43fb666f5d88e383f6
36 lines
1.5 KiB
Text
36 lines
1.5 KiB
Text
dnsmasq netd fifo_file b/77868789
|
|
dnsmasq netd unix_stream_socket b/77868789
|
|
gmscore_app system_data_file dir b/146166941
|
|
init app_data_file file b/77873135
|
|
init cache_file blk_file b/77873135
|
|
init logpersist file b/77873135
|
|
init nativetest_data_file dir b/77873135
|
|
init pstorefs dir b/77873135
|
|
init shell_data_file dir b/77873135
|
|
init shell_data_file file b/77873135
|
|
init shell_data_file lnk_file b/77873135
|
|
init shell_data_file sock_file b/77873135
|
|
init system_data_file chr_file b/77873135
|
|
isolated_app privapp_data_file dir b/119596573
|
|
isolated_app app_data_file dir b/120394782
|
|
mediaextractor app_data_file file b/77923736
|
|
mediaextractor radio_data_file file b/77923736
|
|
mediaprovider cache_file blk_file b/77925342
|
|
mediaprovider mnt_media_rw_file dir b/77925342
|
|
mediaprovider shell_data_file dir b/77925342
|
|
mediaswcodec ashmem_device chr_file b/142679232
|
|
netd priv_app unix_stream_socket b/77870037
|
|
netd untrusted_app unix_stream_socket b/77870037
|
|
netd untrusted_app_25 unix_stream_socket b/77870037
|
|
netd untrusted_app_27 unix_stream_socket b/77870037
|
|
netd untrusted_app_29 unix_stream_socket b/77870037
|
|
platform_app nfc_data_file dir b/74331887
|
|
system_server apex_art_data_file file b/194054685
|
|
system_server crash_dump process b/73128755
|
|
system_server overlayfs_file file b/142390309
|
|
system_server sdcardfs file b/77856826
|
|
system_server zygote process b/77856826
|
|
untrusted_app untrusted_app netlink_route_socket b/155595000
|
|
vold system_data_file file b/124108085
|
|
zygote untrusted_app_25 process b/77925912
|
|
zygote labeledfs filesystem b/170748799
|