commit 2ce60a69bc36b0aaf7edd0245fab25de09a99c27
author Jiakai Zhang <jiakaiz@google.com> Tue Jun 07 15:20:58 2022 +0100
committer Jiakai Zhang <jiakaiz@google.com> Wed Jun 08 10:13:22 2022 +0000
tree 54bfa370432f96d04d9ebaa2182923e0614fb6b1
parent 02b55354bd662550c2f6a4655baac3f7984b261e

Allow artd to get root capabilities and write to dalvikcache_data_file.

This CL adds rules to allow artd to delete optimized artifacts.

In general, some functionalities from installd are being migrated to
artd, so artd needs permissions to do what installd is doing: managing
profiles and compilation artifacts that belong to individual apps.

Bug: 225827974
Test: adb shell pm art delete-optimized-artifacts com.google.android.youtube
Change-Id: I1780cdfb481175fd3b0bc9031fdabb8e7cd71a12

private/artd.te

diff --git a/private/artd.te b/private/artd.te
index 0d26234..4f0db69 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -34,9 +34,10 @@
 # Read access to /vendor/app.
 r_dir_file(artd, vendor_app_file)
 
-# Read access to all compilation artifacts generated on device for apps' primary
-# dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
-r_dir_file(artd, dalvikcache_data_file)
+# Read/write access to all compilation artifacts generated on device for apps'
+# primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
+allow artd dalvikcache_data_file:dir create_dir_perms;
+allow artd dalvikcache_data_file:file create_file_perms;
 
 # Read access to the ART APEX data directory.
 # Needed for reading the boot image generated on device.
@@ -46,3 +47,14 @@
 # Read access to /apex/apex-info-list.xml
 # Needed for getting APEX versions.
 allow artd apex_info_file:file r_file_perms;
+
+# Allow getting root capabilities to bypass permission checks.
+# - "dac_override" and "dac_read_search" are for
+#   - reading secondary dex'es in app data directories (reading primary dex'es
+#     doesn't need root capabilities)
+#   - managing (CRUD) compilation artifacts in both APK directories for primary
+#     dex'es and in app data directories for secondary dex'es
+#   - managing (CRUD) profile files for both primary dex'es and secondary dex'es
+# - "fowner" is for adjusting the file permissions of compilation artifacts and
+#   profile files based on whether they include user data or not.
+allow artd self:global_capability_class_set { dac_override dac_read_search fowner };

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index 5f369e3..af50226 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -303,6 +303,7 @@
   -cppreopts
   -dex2oat
   -otapreopt_slot
+  -artd
 } dalvikcache_data_file:file no_w_file_perms;
 
 neverallow {
@@ -314,6 +315,7 @@
   -dex2oat
   -zygote
   -otapreopt_slot
+  -artd
 } dalvikcache_data_file:dir no_w_dir_perms;
 
 # Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it
@@ -361,6 +363,7 @@
 # a Unix group or change the permissions of a file.
 define(`dac_override_allowed', `{
   apexd
+  artd
   dnsmasq
   dumpstate
   init