5e531051b6
Otherwise, we will get SELinux denials like: W binder:6098_5: type=1400 audit(0.0:138): avc: denied { search } for name="framework" dev="dm-6" ino=478 scontext=u:r:artd:s0 tcontext=u:object_r:vendor_framework_file:s0 tclass=dir permissive=0 Bug: 262230400 Test: No longer see such SELinux denials. Change-Id: Ic31fdabb16341c51466531c88ca040698331b248
101 lines
4.2 KiB
Text
101 lines
4.2 KiB
Text
# ART service daemon.
|
|
typeattribute artd coredomain;
|
|
typeattribute artd mlstrustedsubject;
|
|
type artd_exec, system_file_type, exec_type, file_type;
|
|
type artd_tmpfs, file_type;
|
|
|
|
# Allow artd to publish a binder service and make binder calls.
|
|
binder_use(artd)
|
|
add_service(artd, artd_service)
|
|
allow artd dumpstate:fifo_file { getattr write };
|
|
|
|
init_daemon_domain(artd)
|
|
|
|
# Allow query ART device config properties
|
|
get_prop(artd, device_config_runtime_native_prop)
|
|
get_prop(artd, device_config_runtime_native_boot_prop)
|
|
|
|
# Access to "odsign.verification.success" for deciding whether to deny files in
|
|
# the ART APEX data directory.
|
|
get_prop(artd, odsign_prop)
|
|
|
|
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
|
|
# Use tmpfs_domain() which will give tmpfs files created by artd their
|
|
# own label, which differs from other labels created by other processes.
|
|
# This allows to distinguish in policy files created by artd vs other
|
|
# processes.
|
|
tmpfs_domain(artd)
|
|
|
|
# Allow testing userfaultfd support.
|
|
userfaultfd_use(artd)
|
|
|
|
# Read access to primary dex'es on writable partitions
|
|
# ({/data,/mnt/expand/<volume-uuid>}/app/...).
|
|
allow artd mnt_expand_file:dir { getattr search };
|
|
r_dir_file(artd, apk_data_file)
|
|
|
|
# Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
|
|
r_dir_file(artd, vendor_app_file)
|
|
|
|
# Read access to vendor overlay APKs ({/vendor,/odm,/oem}/overlay/...).
|
|
allow artd oemfs:dir { getattr search };
|
|
r_dir_file(artd, vendor_overlay_file)
|
|
|
|
# Read access to vendor shared libraries ({/vendor,/odm}/framework/...).
|
|
r_dir_file(artd, vendor_framework_file)
|
|
|
|
# Read/write access to all compilation artifacts generated on device for apps'
|
|
# primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
|
|
allow artd dalvikcache_data_file:dir create_dir_perms;
|
|
allow artd dalvikcache_data_file:file create_file_perms;
|
|
|
|
# Read access to the ART APEX data directory.
|
|
# Needed for reading the boot image generated on device.
|
|
allow artd apex_module_data_file:dir { getattr search };
|
|
r_dir_file(artd, apex_art_data_file)
|
|
|
|
# Read access to /apex/apex-info-list.xml
|
|
# Needed for getting APEX versions.
|
|
allow artd apex_info_file:file r_file_perms;
|
|
|
|
# Allow getting root capabilities to bypass permission checks.
|
|
# - "dac_override" and "dac_read_search" are for
|
|
# - reading secondary dex'es in app data directories (reading primary dex'es
|
|
# doesn't need root capabilities)
|
|
# - managing (CRUD) compilation artifacts in both APK directories for primary
|
|
# dex'es and in app data directories for secondary dex'es
|
|
# - managing (CRUD) profile files for both primary dex'es and secondary dex'es
|
|
# - "fowner" is for adjusting the file permissions of compilation artifacts and
|
|
# profile files based on whether they include user data or not.
|
|
# - "chown" is for transferring the ownership of compilation artifacts and
|
|
# profile files to the system or apps.
|
|
allow artd self:global_capability_class_set { dac_override dac_read_search fowner chown };
|
|
|
|
# Read/write access to profiles (/data/misc/profiles/{ref,cur}/...).
|
|
allow artd user_profile_root_file:dir { getattr search };
|
|
allow artd user_profile_data_file:dir rw_dir_perms;
|
|
allow artd user_profile_data_file:file create_file_perms;
|
|
|
|
# Read/write access to secondary dex files, their profiles, and their
|
|
# compilation artifacts
|
|
# ({/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id>/<package-name>/...).
|
|
allow artd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
|
|
allow artd app_data_file_type:file { create_file_perms relabelfrom relabelto };
|
|
|
|
# Never allow running other binaries without a domain transition.
|
|
# The only exception is art_exec. It is allowed to use the artd domain because
|
|
# it is a thin wrapper that executes other binaries on behalf of artd.
|
|
neverallow artd ~{art_exec_exec}:file execute_no_trans;
|
|
allow artd art_exec_exec:file rx_file_perms;
|
|
|
|
# Allow running other binaries in their own domains.
|
|
domain_auto_trans(artd, profman_exec, profman)
|
|
domain_auto_trans(artd, dex2oat_exec, dex2oat)
|
|
|
|
# Allow sending sigkill to subprocesses.
|
|
allow artd { profman dex2oat }:process sigkill;
|
|
|
|
# Allow reading process info (/proc/<pid>/...).
|
|
# This is needed for getting CPU time and wall time spent on subprocesses.
|
|
r_dir_file(artd, profman);
|
|
r_dir_file(artd, dex2oat);
|