2ffeca72a6
Secondary dex files are in app data directories. In order to perform secondary dex compilation, artd needs permissions to: - Read secondary dex files - Create "oat" dir - Create a reference profile in "oat" dir - Rename the reference profile - Delete the reference profile - Read the current profile in "oat" dir - Delete the current profile - Create compilation artifacts in "oat" dir - Rename compilation artifacts - Delete compilation artifacts Bug: 249984283 Test: - 1. adb shell pm art optimize-package --secondary-dex -m speed-profile -f com.google.android.gms 2. See no SELinux denial. Change-Id: I19a0ea7895a54c67959b22085de27d1d0ccc1efc
27 lines
760 B
Text
27 lines
760 B
Text
# MLS override can't be used to access private app data.
|
|
|
|
# Apps should not normally be mlstrustedsubject, but if they must be
|
|
# they cannot use this to access app private data files; their own app
|
|
# data files must use a different label.
|
|
|
|
neverallow {
|
|
mlstrustedsubject
|
|
-artd # compile secondary dex files
|
|
-installd
|
|
} { app_data_file privapp_data_file }:file ~{ read write map getattr ioctl lock append };
|
|
|
|
neverallow {
|
|
mlstrustedsubject
|
|
-artd # compile secondary dex files
|
|
-installd
|
|
} { app_data_file privapp_data_file }:dir ~{ read getattr search };
|
|
|
|
neverallow {
|
|
mlstrustedsubject
|
|
-artd # compile secondary dex files
|
|
-installd
|
|
-system_server
|
|
-adbd
|
|
-runas
|
|
-zygote
|
|
} { app_data_file privapp_data_file }:dir { read getattr search };
|