d7227d8816
This is in prevision of future `dex2oat` feature / experiments flags set in namespaces `runtime_native` and `runtime_native_boot`. In Android S, ART is becoming an updatable Mainline module (which will include `dex2oat`). In the future, we may want to run experiments or test new features using the Android Experiments framework. Such experiments/features are enabled via feature flags, implemented as Android system properties for native code. To be able to read such properties, we need to give the read permission to the relevant binaries. At the moment, this can only be done in the SELinux policy of the Android platform, which cannot be updated via a Mainline update. To give us the opportunity to conduct such experiments in `dex2oat` via an ART Mainline Module update after Android S has shipped (e.g. by having `dex2oat` query a system property in `persist.device_config.runtime_native.*` ), we need to have this permission set in the Android S platform now. Test: mmma system/sepolicy Change-Id: I0a83e9f0ec19884a99ef9693d55084376bff8762
99 lines
3.7 KiB
Text
99 lines
3.7 KiB
Text
# dex2oat
|
|
type dex2oat, domain, coredomain;
|
|
type dex2oat_exec, system_file_type, exec_type, file_type;
|
|
|
|
r_dir_file(dex2oat, apk_data_file)
|
|
# Access to /vendor/app
|
|
r_dir_file(dex2oat, vendor_app_file)
|
|
# Access /vendor/framework
|
|
allow dex2oat vendor_framework_file:dir { getattr search };
|
|
allow dex2oat vendor_framework_file:file { getattr open read map };
|
|
|
|
allow dex2oat tmpfs:file { read getattr map };
|
|
|
|
r_dir_file(dex2oat, dalvikcache_data_file)
|
|
allow dex2oat dalvikcache_data_file:file write;
|
|
allow dex2oat installd:fd use;
|
|
|
|
# Acquire advisory lock on /system/framework/arm/*
|
|
allow dex2oat system_file:file lock;
|
|
|
|
# Read already open asec_apk_file file descriptors passed by installd.
|
|
# Also allow reading unlabeled files, to allow for upgrading forward
|
|
# locked APKs.
|
|
allow dex2oat asec_apk_file:file { read map };
|
|
allow dex2oat unlabeled:file { read map };
|
|
allow dex2oat oemfs:file { read map };
|
|
allow dex2oat apk_tmp_file:dir search;
|
|
allow dex2oat apk_tmp_file:file r_file_perms;
|
|
allow dex2oat user_profile_data_file:file { getattr read lock map };
|
|
|
|
# Allow dex2oat to compile app's secondary dex files which were reported back to
|
|
# the framework.
|
|
allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock map };
|
|
|
|
# Allow dex2oat to find files and directories under /data/misc/apexdata/com.android.runtime.
|
|
allow dex2oat apex_module_data_file:dir search;
|
|
|
|
# Allow dex2oat to use file descriptors passed from odrefresh.
|
|
allow dex2oat odrefresh:fd use;
|
|
|
|
# Allow dex2oat to write to file descriptors from odrefresh for files
|
|
# in the staging area.
|
|
allow dex2oat apex_art_staging_data_file:dir r_dir_perms;
|
|
allow dex2oat apex_art_staging_data_file:file { getattr map read write unlink };
|
|
|
|
# Allow dex2oat to read artifacts from odrefresh.
|
|
allow dex2oat apex_art_data_file:dir r_dir_perms;
|
|
allow dex2oat apex_art_data_file:file r_file_perms;
|
|
|
|
# Allow dex2oat to read runtime native flag properties.
|
|
get_prop(dex2oat, device_config_runtime_native_prop)
|
|
get_prop(dex2oat, device_config_runtime_native_boot_prop)
|
|
|
|
##################
|
|
# A/B OTA Dexopt #
|
|
##################
|
|
|
|
# Allow dex2oat to use file descriptors from otapreopt.
|
|
allow dex2oat postinstall_dexopt:fd use;
|
|
|
|
# Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker).
|
|
allow dex2oat postinstall_file:dir r_dir_perms;
|
|
allow dex2oat postinstall_file:filesystem getattr;
|
|
allow dex2oat postinstall_file:lnk_file { getattr read };
|
|
allow dex2oat postinstall_file:file read;
|
|
# Allow dex2oat to use libraries under /postinstall/system (e.g. /system/lib/libc.so).
|
|
# TODO(b/120266448): Remove when Bionic libraries are part of the Runtime APEX.
|
|
allow dex2oat postinstall_file:file { execute getattr open };
|
|
|
|
# Allow dex2oat access to /postinstall/apex.
|
|
allow dex2oat postinstall_apex_mnt_dir:dir { getattr search };
|
|
|
|
# Allow dex2oat access to files in /data/ota.
|
|
allow dex2oat ota_data_file:dir ra_dir_perms;
|
|
allow dex2oat ota_data_file:file r_file_perms;
|
|
|
|
# Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images,
|
|
# where the oat file is symlinked to the original file in /system.
|
|
allow dex2oat ota_data_file:lnk_file { create read };
|
|
|
|
# It would be nice to tie this down, but currently, because of how images are written, we can't
|
|
# pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to
|
|
# create them itself (and make them world-readable).
|
|
allow dex2oat ota_data_file:file { create w_file_perms setattr };
|
|
|
|
###############
|
|
# APEX Update #
|
|
###############
|
|
|
|
# /dev/zero is inherited.
|
|
allow dex2oat apexd:fd use;
|
|
|
|
# Allow dex2oat to use file descriptors from preinstall.
|
|
|
|
##############
|
|
# Neverallow #
|
|
##############
|
|
|
|
neverallow dex2oat { privapp_data_file app_data_file }:notdevfile_class_set open;
|