Update SELinux policy to allow artd to perform secondary dex compilation
Secondary dex files are in app data directories. In order to perform
secondary dex compilation, artd needs permissions to:
- Read secondary dex files
- Create "oat" dir
- Create a reference profile in "oat" dir
- Rename the reference profile
- Delete the reference profile
- Read the current profile in "oat" dir
- Delete the current profile
- Create compilation artifacts in "oat" dir
- Rename compilation artifacts
- Delete compilation artifacts
Bug: 249984283
Test: -
1. adb shell pm art optimize-package --secondary-dex -m speed-profile -f com.google.android.gms
2. See no SELinux denial.
Change-Id: I19a0ea7895a54c67959b22085de27d1d0ccc1efc
diff --git a/private/artd.te b/private/artd.te
index cb2b6c2..63045af 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -67,6 +67,12 @@
allow artd user_profile_data_file:dir rw_dir_perms;
allow artd user_profile_data_file:file create_file_perms;
+# Read/write access to secondary dex files, their profiles, and their
+# compilation artifacts
+# ({/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id>/<package-name>/...).
+allow artd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
+allow artd app_data_file_type:file { create_file_perms relabelfrom relabelto };
+
# Never allow running other binaries without a domain transition.
# The only exception is art_exec. It is allowed to use the artd domain because
# it is a thin wrapper that executes other binaries on behalf of artd.
diff --git a/private/domain.te b/private/domain.te
index 632b9f6..60303ff 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -181,6 +181,7 @@
neverallow {
domain
-appdomain
+ -artd # compile secondary dex files
-installd # creation of sandbox
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
@@ -191,6 +192,7 @@
-adbd
-appdomain
-app_zygote
+ -artd # compile secondary dex files
-dexoptanalyzer
-installd
-profman
@@ -206,6 +208,7 @@
neverallow {
domain
-appdomain
+ -artd # compile secondary dex files
-installd
-rs # spawned by appdomain, so carryover the exception above
} { privapp_data_file app_data_file }:dir ~r_dir_perms;
@@ -214,6 +217,7 @@
domain
-appdomain
-app_zygote
+ -artd # compile secondary dex files
-installd
-rs # spawned by appdomain, so carryover the exception above
} { privapp_data_file app_data_file }:file_class_set open;
@@ -221,11 +225,13 @@
neverallow {
domain
-appdomain
+ -artd # compile secondary dex files
-installd # creation of sandbox
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
neverallow {
domain
+ -artd # compile secondary dex files
-installd
} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
@@ -606,10 +612,14 @@
# untrustworthy, and non-allowed domains should not be trusting any content in
# those directories. We allow shell files to be passed around by file
# descriptor, but not directly opened.
+# artd doesn't need to access /data/local/tmp, but it needs to access
+# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary
+# dex files.
neverallow {
domain
-adbd
-appdomain
+ -artd
-dumpstate
-installd
userdebug_or_eng(`-uncrypt')
@@ -621,6 +631,7 @@
neverallow {
domain
-appdomain
+ -artd # compile secondary dex files
-system_server #populate com.android.providers.settings/databases/settings.db.
-installd # creation of app sandbox
-traced_probes # resolve inodes for i/o tracing.
diff --git a/private/mlstrustedsubject.te b/private/mlstrustedsubject.te
index 0aed4d3..67bd113 100644
--- a/private/mlstrustedsubject.te
+++ b/private/mlstrustedsubject.te
@@ -6,16 +6,19 @@
neverallow {
mlstrustedsubject
+ -artd # compile secondary dex files
-installd
} { app_data_file privapp_data_file }:file ~{ read write map getattr ioctl lock append };
neverallow {
mlstrustedsubject
+ -artd # compile secondary dex files
-installd
} { app_data_file privapp_data_file }:dir ~{ read getattr search };
neverallow {
mlstrustedsubject
+ -artd # compile secondary dex files
-installd
-system_server
-adbd