Remove 'dex2oat_exec' from untrusted_app
Remove the permission to execute dex2oat from apps targetSdkVersion>28.
This has been historically used by ART to compile secondary dex files
but that functionality has been removed in Q and the permission is
therefore not needed.
Some legacy apps do invoke dex2oat directly. Hence allow (with audit) for
targetSdkVersion<= 28.
Test: atest CtsSelinuxTargetSdk25TestCases
Test: atest CtsSelinuxTargetSdk27TestCases
Test: atest CtsSelinuxTargetSdkCurrentTestCases
Bug: 117606664
Change-Id: I2ea9cd56861fcf280cab388a251aa53e618160e5
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 30acf87..7936147 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -51,6 +51,15 @@
-runas_app
} { app_data_file privapp_data_file }:file execute_no_trans;
+# Do not allow untrusted apps to invoke dex2oat. This was historically required
+# by ART for compiling secondary dex files but has been removed in Q.
+# Exempt legacy apps (targetApi<=28) for compatibility.
+neverallow {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+} dex2oat_exec:file no_x_file_perms;
+
# Do not allow untrusted apps to be assigned mlstrustedsubject.
# This would undermine the per-user isolation model being
# enforced via levelFrom=user in seapp_contexts and the mls
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index d264aaf..2db9c4b 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -49,3 +49,9 @@
# for targetApi<=25. This is also allowed for targetAPIs 26, 27,
# and 28 in untrusted_app_27.te.
allow untrusted_app_25 app_data_file:file execute_no_trans;
+
+# The ability to invoke dex2oat. Historically required by ART, now only
+# allowed for targetApi<=28 for compat reasons.
+allow untrusted_app_25 dex2oat_exec:file rx_file_perms;
+auditallow untrusted_app_25 dex2oat_exec:file rx_file_perms;
+
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 7b9060d..c828f64 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -30,3 +30,9 @@
# The ability to call exec() on files in the apps home directories
# for targetApi 26, 27, and 28.
allow untrusted_app_27 app_data_file:file execute_no_trans;
+
+# The ability to invoke dex2oat. Historically required by ART, now only
+# allowed for targetApi<=28 for compat reasons.
+allow untrusted_app_27 dex2oat_exec:file rx_file_perms;
+auditallow untrusted_app_27 dex2oat_exec:file rx_file_perms;
+
diff --git a/public/app.te b/public/app.te
index 8b62967..40dee5d 100644
--- a/public/app.te
+++ b/public/app.te
@@ -119,9 +119,6 @@
allow appdomain vendor_public_lib_file:dir r_dir_perms;
allow appdomain vendor_public_lib_file:file { execute read open getattr map };
-# Execute dex2oat when apps call dexclassloader
-allow appdomain dex2oat_exec:file rx_file_perms;
-
# Read/write wallpaper file (opened by system).
allow appdomain wallpaper_file:file { getattr read write map };