platform_system_sepolicy/private/viewcompiler.te
Eric Holk 04ee9fb1b2 Give map permission to viewcompiler
On cuttlefish devices, the resource loading code apparently maps the file rather
than just reading it.

Denial log:

viewcompiler: type=1400 audit(0.0:308): avc: denied { map } for
path="/data/app/android.startop.test-Z2JxVhtKPw2wx4o-nmo5NA==/base.apk"
dev="vdb" ino=139269 scontext=u:r:viewcompiler:s0
tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0
app=android.startop.test

Bug: 139018973
Change-Id: I4bbbc44abc3c4315137f76a0be737236cf10f4ef
2019-08-27 10:43:55 -07:00

25 lines
1 KiB
Text

# viewcompiler
type viewcompiler, domain, coredomain, mlstrustedsubject;
type viewcompiler_exec, system_file_type, exec_type, file_type;
type viewcompiler_tmpfs, file_type;
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
# Use tmpfs_domain() which will give tmpfs files created by viewcompiler their
# own label, which differs from other labels created by other processes.
# This allows to distinguish in policy files created by viewcompiler vs other
# processes.
tmpfs_domain(viewcompiler)
allow viewcompiler installd:fd use;
# Include write permission for app data files so viewcompiler can generate
# compiled layout dex files
allow viewcompiler app_data_file:file { getattr write };
# Allow the view compiler to read resources from the apps APK.
allow viewcompiler apk_data_file:file { read map };
# priv-apps are moving to a world where they can only execute
# signed code. Make sure viewcompiler never can write to privapp
# directories to avoid introducing unsigned executable code
neverallow viewcompiler privapp_data_file:file no_w_file_perms;