| Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame] | 1 | # dexoptanalyzer |
| 2 | type dexoptanalyzer, domain, coredomain, mlstrustedsubject; |
| 3 | type dexoptanalyzer_exec, system_file_type, exec_type, file_type; |
| 4 | type dexoptanalyzer_tmpfs, file_type; |
| 5 | |
| 6 | r_dir_file(dexoptanalyzer, apk_data_file) |
| 7 | # Access to /vendor/app |
| 8 | r_dir_file(dexoptanalyzer, vendor_app_file) |
| 9 | |
| 10 | # Reading an APK opens a ZipArchive, which unpack to tmpfs. |
| 11 | # Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their |
| 12 | # own label, which differs from other labels created by other processes. |
| 13 | # This allows to distinguish in policy files created by dexoptanalyzer vs other |
| 14 | # processes. |
| 15 | tmpfs_domain(dexoptanalyzer) |
| 16 | |
| 17 | userfaultfd_use(dexoptanalyzer) |
| 18 | |
| 19 | # Allow dexoptanalyzer to read files in the dalvik cache. |
| 20 | allow dexoptanalyzer dalvikcache_data_file:dir { getattr search }; |
| 21 | allow dexoptanalyzer dalvikcache_data_file:file r_file_perms; |
| 22 | |
| 23 | # Read symlinks in /data/dalvik-cache. This is required for PIC mode boot |
| 24 | # app_data_file the oat file is symlinked to the original file in /system. |
| 25 | allow dexoptanalyzer dalvikcache_data_file:lnk_file read; |
| 26 | |
| 27 | # Allow dexoptanalyzer to read files in the ART APEX data directory. |
| 28 | allow dexoptanalyzer { apex_art_data_file apex_module_data_file }:dir { getattr search }; |
| 29 | allow dexoptanalyzer apex_art_data_file:file r_file_perms; |
| 30 | |
| 31 | # Allow dexoptanalyzer to use file descriptors from odrefresh. |
| 32 | allow dexoptanalyzer odrefresh:fd use; |
| 33 | |
| 34 | # Use devpts and fd from odsign (which exec()'s odrefresh) |
| 35 | allow dexoptanalyzer odsign:fd use; |
| 36 | allow dexoptanalyzer odsign_devpts:chr_file { read write }; |
| 37 | |
| 38 | allow dexoptanalyzer installd:fd use; |
| 39 | allow dexoptanalyzer installd:fifo_file { getattr write }; |
| 40 | |
| 41 | # Acquire advisory lock on /system/framework/arm/* |
| 42 | allow dexoptanalyzer system_file:file lock; |
| 43 | |
| 44 | # Allow reading secondary dex files that were reported by the app to the |
| 45 | # package manager. |
| 46 | allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map }; |
| 47 | |
| 48 | # Allow testing /data/user/0 which symlinks to /data/data |
| 49 | allow dexoptanalyzer system_data_file:lnk_file { getattr }; |
| 50 | |
| 51 | # Allow query ART device config properties |
| 52 | get_prop(dexoptanalyzer, device_config_runtime_native_prop) |
| 53 | get_prop(dexoptanalyzer, device_config_runtime_native_boot_prop) |