9e80bfc880
When opening the dex files we sometime need to check for the real location
of the file (even if it was open via an fd).
Denial example:
avc: denied { getattr } for comm="profman" path="/data/app" dev="sda13"
ino=1048577 scontext=u:r:profman:s0 tcontext=u:object_r:apk_data_file:s0
tclass=dir permissive=0
Test: verify we get no denials when taking a profile snapshot.
Bug: 77922323
Change-Id: Ifa5570656c644819d14f46af74e4c15e903a8a54
29 lines
962 B
Text
29 lines
962 B
Text
# profman
|
|
type profman, domain;
|
|
type profman_exec, exec_type, file_type;
|
|
|
|
allow profman user_profile_data_file:file { getattr read write lock };
|
|
|
|
# Dumping profile info opens the application APK file for pretty printing.
|
|
allow profman asec_apk_file:file { read };
|
|
allow profman apk_data_file:file { getattr read };
|
|
allow profman apk_data_file:dir { getattr read search };
|
|
|
|
allow profman oemfs:file { read };
|
|
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
|
|
allow profman tmpfs:file { read };
|
|
allow profman profman_dump_data_file:file { write };
|
|
|
|
allow profman installd:fd use;
|
|
|
|
# Allow profman to analyze profiles for the secondary dex files. These
|
|
# are application dex files reported back to the framework when using
|
|
# BaseDexClassLoader.
|
|
allow profman app_data_file:file { getattr read write lock };
|
|
allow profman app_data_file:dir { getattr read search };
|
|
|
|
###
|
|
### neverallow rules
|
|
###
|
|
|
|
neverallow profman app_data_file:notdevfile_class_set open;
|