platform_system_sepolicy/private/artd.te
Jiakai Zhang d7f811913b Allow artd to access files for restorecon.
Otherwise, we will get SELinux denials like:
W binder:5750_1: type=1400 audit(0.0:133): avc: denied { read } for name="plat_file_contexts" dev="dm-1" ino=979 scontext=u:r:artd:s0 tcontext=u:object_r:file_contexts_file:s0 tclass=file permissive=0
W binder:5750_1: type=1400 audit(0.0:134): avc: denied { read } for name="system_ext_file_contexts" dev="dm-3" ino=92 scontext=u:r:artd:s0 tcontext=u:object_r:file_contexts_file:s0 tclass=file permissive=0

Bug: 262230400
Test: No longer see such SELinux denials.
Change-Id: Iec586c554fa2dc33f0a428321bada484add620ed
2022-12-13 16:03:22 +00:00

113 lines
4.7 KiB
Text

# ART service daemon.
typeattribute artd coredomain;
typeattribute artd mlstrustedsubject;
type artd_exec, system_file_type, exec_type, file_type;
type artd_tmpfs, file_type;
# Allow artd to publish a binder service and make binder calls.
binder_use(artd)
add_service(artd, artd_service)
allow artd dumpstate:fifo_file { getattr write };
init_daemon_domain(artd)
# Allow query ART device config properties
get_prop(artd, device_config_runtime_native_prop)
get_prop(artd, device_config_runtime_native_boot_prop)
# Access to "odsign.verification.success" for deciding whether to deny files in
# the ART APEX data directory.
get_prop(artd, odsign_prop)
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
# Use tmpfs_domain() which will give tmpfs files created by artd their
# own label, which differs from other labels created by other processes.
# This allows to distinguish in policy files created by artd vs other
# processes.
tmpfs_domain(artd)
# Allow testing userfaultfd support.
userfaultfd_use(artd)
# Read access to primary dex'es on writable partitions
# ({/data,/mnt/expand/<volume-uuid>}/app/...).
allow artd mnt_expand_file:dir { getattr search };
r_dir_file(artd, apk_data_file)
# Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
r_dir_file(artd, vendor_app_file)
# Read access to vendor overlay APKs ({/vendor,/odm,/oem}/overlay/...).
allow artd oemfs:dir { getattr search };
r_dir_file(artd, vendor_overlay_file)
# Read access to vendor shared libraries ({/vendor,/odm}/framework/...).
r_dir_file(artd, vendor_framework_file)
# Read/write access to all compilation artifacts generated on device for apps'
# primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
allow artd dalvikcache_data_file:dir create_dir_perms;
allow artd dalvikcache_data_file:file create_file_perms;
# Read access to the ART APEX data directory.
# Needed for reading the boot image generated on device.
allow artd apex_module_data_file:dir { getattr search };
r_dir_file(artd, apex_art_data_file)
# Read access to /apex/apex-info-list.xml
# Needed for getting APEX versions.
allow artd apex_info_file:file r_file_perms;
# Allow getting root capabilities to bypass permission checks.
# - "dac_override" and "dac_read_search" are for
# - reading secondary dex'es in app data directories (reading primary dex'es
# doesn't need root capabilities)
# - managing (CRUD) compilation artifacts in both APK directories for primary
# dex'es and in app data directories for secondary dex'es
# - managing (CRUD) profile files for both primary dex'es and secondary dex'es
# - "fowner" is for adjusting the file permissions of compilation artifacts and
# profile files based on whether they include user data or not.
# - "chown" is for transferring the ownership of compilation artifacts and
# profile files to the system or apps.
allow artd self:global_capability_class_set { dac_override dac_read_search fowner chown };
# Read/write access to profiles (/data/misc/profiles/{ref,cur}/...).
allow artd user_profile_root_file:dir { getattr search };
allow artd user_profile_data_file:dir rw_dir_perms;
allow artd user_profile_data_file:file create_file_perms;
# Read/write access to secondary dex files, their profiles, and their
# compilation artifacts
# ({/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id>/<package-name>/...).
allow artd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
allow artd app_data_file_type:file { create_file_perms relabelfrom relabelto };
# Allow symlinks for secondary dex files. This has be to restricted because
# symlinks can cause various security issues. We allow "privapp_data_file" just
# for GMS because so far we only see GMS using symlinks.
allow artd privapp_data_file:lnk_file { getattr read };
# Read access to SELinux context files, for restorecon.
allow artd file_contexts_file:file r_file_perms;
allow artd seapp_contexts_file:file r_file_perms;
# Check validity of SELinux context, for restorecon.
selinux_check_context(artd)
# Never allow running other binaries without a domain transition.
# The only exception is art_exec. It is allowed to use the artd domain because
# it is a thin wrapper that executes other binaries on behalf of artd.
neverallow artd ~{art_exec_exec}:file execute_no_trans;
allow artd art_exec_exec:file rx_file_perms;
# Allow running other binaries in their own domains.
domain_auto_trans(artd, profman_exec, profman)
domain_auto_trans(artd, dex2oat_exec, dex2oat)
# Allow sending sigkill to subprocesses.
allow artd { profman dex2oat }:process sigkill;
# Allow reading process info (/proc/<pid>/...).
# This is needed for getting CPU time and wall time spent on subprocesses.
r_dir_file(artd, profman);
r_dir_file(artd, dex2oat);