Grant artd read permissions on current profile directories.
The permissions are needed for profile-guided compilation: when ART
Services compiles an app, it uses the information in current profiles as
one factor to determine which classes and methods to compile.
Since there can be multiple current profiles, in practice, it merges
the current profiles into a "reference profile" and passes that to the
compiler. After the compilation is done successfully, it keeps the
reference profile and deletes current profiles.
This is currently done by installd
(http://cs/android-internal/system/sepolicy/public/installd.te;l=125;rcl=0cbe233cdc361b0976874b2df04392d74245aade),
and we'd like artd to do it.
In addition, we want to make artd work in a more atomic way: If a
reference profile already exists, instead of mutating it in place,
artd creates a temp file next to it, works on the temp file, and
replaces the original file after it's done (or deletes the temp file
if it fails).
Therefore, artd needs the permissions to read current profile files.
It also needs to be mlstrustedsubject because current profile files
seem to have MLS restrictions.
Otherwise, it will get SELinux denials like:
```
09-23 20:22:13.931 8097 8097 I binder:8097_2: type=1400 audit(0.0:164): avc: denied { search } for name="cur" dev="dm-53" ino=81 scontext=u:r:artd:s0 tcontext=u:object_r:user_profile_root_file:s0 tclass=dir permissive=1
09-23 20:22:13.931 8097 8097 I binder:8097_2: type=1400 audit(0.0:164): avc: denied { search } for name="0" dev="dm-53" ino=207 scontext=u:r:artd:s0 tcontext=u:object_r:user_profile_root_file:s0:c512,c768 tclass=dir permissive=1
```
Note the MLS restrictions `c512,c768` in the message above.
Bug: 248318911
Test: manual -
1. adb shell pm art optimize-package -m speed-profile \
com.google.android.youtube
2. See no SELinux denials like above.
Change-Id: I1cb8c3ac07d3790a4d74d747707327b1d5d8ecfb
diff --git a/private/artd.te b/private/artd.te
index b736665..cb2b6c2 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -1,5 +1,6 @@
# ART service daemon.
typeattribute artd coredomain;
+typeattribute artd mlstrustedsubject;
type artd_exec, system_file_type, exec_type, file_type;
type artd_tmpfs, file_type;
@@ -62,6 +63,7 @@
allow artd self:global_capability_class_set { dac_override dac_read_search fowner chown };
# Read/write access to profiles (/data/misc/profiles/{ref,cur}/...).
+allow artd user_profile_root_file:dir { getattr search };
allow artd user_profile_data_file:dir rw_dir_perms;
allow artd user_profile_data_file:file create_file_perms;