tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/artd.te
Jiakai Zhang 2ce60a69bc Allow artd to get root capabilities and write to dalvikcache_data_file. 
This CL adds rules to allow artd to delete optimized artifacts.

In general, some functionalities from installd are being migrated to
artd, so artd needs permissions to do what installd is doing: managing
profiles and compilation artifacts that belong to individual apps.

Bug: 225827974
Test: adb shell pm art delete-optimized-artifacts com.google.android.youtube
Change-Id: I1780cdfb481175fd3b0bc9031fdabb8e7cd71a12
2022-06-08 10:13:22 +00:00

60 lines
2.4 KiB
Text
Raw Blame History

# art service daemon
type artd, domain, coredomain;
type artd_exec, system_file_type, exec_type, file_type;
type artd_tmpfs, file_type;
# Allow artd to publish a binder service and make binder calls.
binder_use(artd)
add_service(artd, artd_service)
allow artd dumpstate:fifo_file { getattr write };
init_daemon_domain(artd)
# Allow query ART device config properties
get_prop(artd, device_config_runtime_native_prop)
get_prop(artd, device_config_runtime_native_boot_prop)
# Access to "odsign.verification.success" for deciding whether to deny files in
# the ART APEX data directory.
get_prop(artd, odsign_prop)
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
# Use tmpfs_domain() which will give tmpfs files created by artd their
# own label, which differs from other labels created by other processes.
# This allows to distinguish in policy files created by artd vs other
# processes.
tmpfs_domain(artd)
# Allow testing userfaultfd support.
userfaultfd_use(artd)
# Read access to primary dex'es on writable partitions (e.g., /data/app/...).
r_dir_file(artd, apk_data_file)
# Read access to /vendor/app.
r_dir_file(artd, vendor_app_file)
# Read/write access to all compilation artifacts generated on device for apps'
# primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
allow artd dalvikcache_data_file:dir create_dir_perms;
allow artd dalvikcache_data_file:file create_file_perms;
# Read access to the ART APEX data directory.
# Needed for reading the boot image generated on device.
allow artd apex_module_data_file:dir { getattr search };
r_dir_file(artd, apex_art_data_file)
# Read access to /apex/apex-info-list.xml
# Needed for getting APEX versions.
allow artd apex_info_file:file r_file_perms;
# Allow getting root capabilities to bypass permission checks.
# - "dac_override" and "dac_read_search" are for
# - reading secondary dex'es in app data directories (reading primary dex'es
# doesn't need root capabilities)
# - managing (CRUD) compilation artifacts in both APK directories for primary
# dex'es and in app data directories for secondary dex'es
# - managing (CRUD) profile files for both primary dex'es and secondary dex'es
# - "fowner" is for adjusting the file permissions of compilation artifacts and
# profile files based on whether they include user data or not.
allow artd self:global_capability_class_set { dac_override dac_read_search fowner };
Reference in a new issue View git blame Copy permalink