tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/dex2oat.te
Martin Stjernholm 502a036436 Allow dex2oat access to symlinks in APEXes to find DCLA libs. 
With the introduction of DCLA (/apex/sharedlibs APEX), .so files can be
symlinked into that APEX, so we need to allow reading symlinks to be
able to link the dex2oat binary successfully.

This fixes "CANNOT LINK EXECUTABLE" errors for dex2oat during OTA
preopting.

Test: Apply an OTA manually and check logs for errors
Bug: 291974157
Change-Id: I9eca91c94e8d33fe618783cea262ea3881957620
2023-07-25 00:07:27 +01:00

115 lines
4.3 KiB
Text
Raw Blame History

# dex2oat
type dex2oat, domain, coredomain;
type dex2oat_exec, system_file_type, exec_type, file_type;
userfaultfd_use(dex2oat)
r_dir_file(dex2oat, apk_data_file)
# Access to /vendor/app
r_dir_file(dex2oat, vendor_app_file)
# Access /vendor/framework
allow dex2oat vendor_framework_file:dir { getattr search };
allow dex2oat vendor_framework_file:file { getattr open read map };
# Access /vendor/overlay
r_dir_file(dex2oat, vendor_overlay_file);
# Vendor overlay can be found in vendor apex
allow dex2oat vendor_apex_metadata_file:dir { getattr search };
allow dex2oat tmpfs:file { read getattr map };
r_dir_file(dex2oat, dalvikcache_data_file)
allow dex2oat dalvikcache_data_file:file write;
# Acquire advisory lock on /system/framework/arm/*
allow dex2oat system_file:file lock;
allow dex2oat postinstall_file:file lock;
# Read already open asec_apk_file file descriptors passed by installd.
# Also allow reading unlabeled files, to allow for upgrading forward
# locked APKs.
allow dex2oat asec_apk_file:file { read map };
allow dex2oat unlabeled:file { read map };
allow dex2oat oemfs:file { read map };
allow dex2oat apk_tmp_file:dir search;
allow dex2oat apk_tmp_file:file r_file_perms;
allow dex2oat user_profile_data_file:file { getattr read lock map };
# Allow dex2oat to compile app's secondary dex files which were reported back to
# the framework.
allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock map };
# Allow dex2oat to find files and directories under /data/misc/apexdata/com.android.runtime.
allow dex2oat apex_module_data_file:dir search;
# Allow dex2oat to use devpts passed from odsign.
allow dex2oat odsign_devpts:chr_file { read write };
# Allow dex2oat to write to file descriptors from odrefresh for files
# in the staging area.
allow dex2oat apex_art_staging_data_file:dir r_dir_perms;
allow dex2oat apex_art_staging_data_file:file { getattr map read write unlink };
# Allow dex2oat to read artifacts from odrefresh.
allow dex2oat apex_art_data_file:dir r_dir_perms;
allow dex2oat apex_art_data_file:file r_file_perms;
# Allow dex2oat to read runtime native flag properties.
get_prop(dex2oat, device_config_runtime_native_prop)
get_prop(dex2oat, device_config_runtime_native_boot_prop)
# Allow dex2oat to read /apex/apex-info-list.xml
allow dex2oat apex_info_file:file r_file_perms;
# Allow dex2oat to use file descriptors passed from privileged programs.
allow dex2oat { artd installd odrefresh odsign }:fd use;
# Allow dex2oat to read the /proc filesystem for CPU features, etc.
allow dex2oat proc_filesystems:file r_file_perms;
##################
# A/B OTA Dexopt #
##################
# Allow dex2oat to use file descriptors from otapreopt.
allow dex2oat postinstall_dexopt:fd use;
# Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker).
allow dex2oat postinstall_file:dir r_dir_perms;
allow dex2oat postinstall_file:filesystem getattr;
allow dex2oat postinstall_file:lnk_file { getattr read };
allow dex2oat postinstall_file:file read;
# Allow dex2oat to use libraries under /postinstall/system (e.g. /system/lib/libc.so).
# TODO(b/120266448): Remove when Bionic libraries are part of the Runtime APEX.
allow dex2oat postinstall_file:file { execute getattr open };
# Allow dex2oat access to /postinstall/apex.
allow dex2oat postinstall_apex_mnt_dir:dir { getattr search };
allow dex2oat postinstall_apex_mnt_dir:{ file lnk_file } r_file_perms;
# Allow dex2oat access to files in /data/ota.
allow dex2oat ota_data_file:dir ra_dir_perms;
allow dex2oat ota_data_file:file r_file_perms;
# Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images,
# where the oat file is symlinked to the original file in /system.
allow dex2oat ota_data_file:lnk_file { create read };
# It would be nice to tie this down, but currently, because of how images are written, we can't
# pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to
# create them itself (and make them world-readable).
allow dex2oat ota_data_file:file { create w_file_perms setattr };
###############
# APEX Update #
###############
# /dev/zero is inherited.
allow dex2oat apexd:fd use;
# Allow dex2oat to use file descriptors from preinstall.
##############
# Neverallow #
##############
neverallow dex2oat app_data_file_type:notdevfile_class_set open;
Reference in a new issue View git blame Copy permalink