commit 0bee12090002d036bf34e18f877f8b6fa5d34fae
author Calin Juravle <calin@google.com> Mon Jul 13 18:53:38 2020 -0700
committer Calin Juravle <calin@google.com> Wed Jul 22 14:10:06 2020 -0700
tree 7335cae78ecbf07abcff4874977e60b811abe6ba
parent e30b4b613c0d2007437d04bf69937f172cf464cc

Fix sepolicy for secondary dex files

dexoptanalyzer need read access on the secondary
dex files and of the main apk files in order to successfully evaluate
and optimize them.

Example of denial:
audit(0.0:30): avc: denied { read } for
path="/data/app/~~Zux_isdY0NBkRWPp01oAVg==/com.example.secondaryrepro-wH9zezMSCzIjcKdIMtrw7A==/base.apk"
dev="vdc" ino=40966 scontext=u:r:dexoptanalyzer:s0
tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0
app=com.example.secondaryrepro

Test: adb shell cmd package compile -r bg-dexopt --secondary-dex app
Bug: 160471235
Bug: 160351055
Merged-In: Id0bda5237d3ce1620d4f6ee89595836b4e1f3abf
Change-Id: Id0bda5237d3ce1620d4f6ee89595836b4e1f3abf

prebuilts/api/30.0/private/coredomain.te

diff --git a/prebuilts/api/30.0/private/coredomain.te b/prebuilts/api/30.0/private/coredomain.te
index ab731f1..86e8009 100644
--- a/prebuilts/api/30.0/private/coredomain.te
+++ b/prebuilts/api/30.0/private/coredomain.te
@@ -22,6 +22,7 @@
         coredomain
         -appdomain
         -dex2oat
+        -dexoptanalyzer
         -idmap
         -init
         -installd
@@ -38,6 +39,7 @@
         coredomain
         -appdomain
         -dex2oat
+        -dexoptanalyzer
         -idmap
         -init
         -installd

prebuilts/api/30.0/private/dexoptanalyzer.te

diff --git a/prebuilts/api/30.0/private/dexoptanalyzer.te b/prebuilts/api/30.0/private/dexoptanalyzer.te
index 1f92462..a2b2b01 100644
--- a/prebuilts/api/30.0/private/dexoptanalyzer.te
+++ b/prebuilts/api/30.0/private/dexoptanalyzer.te
@@ -3,6 +3,10 @@
 type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
 type dexoptanalyzer_tmpfs, file_type;
 
+r_dir_file(dexoptanalyzer, apk_data_file)
+# Access to /vendor/app
+r_dir_file(dexoptanalyzer, vendor_app_file)
+
 # Reading an APK opens a ZipArchive, which unpack to tmpfs.
 # Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
 # own label, which differs from other labels created by other processes.

private/coredomain.te

diff --git a/private/coredomain.te b/private/coredomain.te
index ab731f1..86e8009 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -22,6 +22,7 @@
         coredomain
         -appdomain
         -dex2oat
+        -dexoptanalyzer
         -idmap
         -init
         -installd
@@ -38,6 +39,7 @@
         coredomain
         -appdomain
         -dex2oat
+        -dexoptanalyzer
         -idmap
         -init
         -installd

private/dexoptanalyzer.te

diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index 1f92462..a2b2b01 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -3,6 +3,10 @@
 type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
 type dexoptanalyzer_tmpfs, file_type;
 
+r_dir_file(dexoptanalyzer, apk_data_file)
+# Access to /vendor/app
+r_dir_file(dexoptanalyzer, vendor_app_file)
+
 # Reading an APK opens a ZipArchive, which unpack to tmpfs.
 # Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
 # own label, which differs from other labels created by other processes.