Allow artd to check optimization status.
Bug: 233383589
Test: -
1. adb shell pm art get-optimization-status com.google.android.youtube
2. See no SELinux denials.
Test: -
1. adb shell pm compile -m speed com.google.android.youtube
2. adb shell pm art get-optimization-status com.google.android.youtube
3. See no SELinux denials.
Test: -
1. adb shell pm install /product/app/YouTube/YouTube.apk
2. adb shell pm art get-optimization-status com.google.android.youtube
3. See no SELinux denials.
Change-Id: I943ebca4ec02c356fa0399b13f6154e7623f228b
diff --git a/private/artd.te b/private/artd.te
index 0aa12dc..0d26234 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -1,16 +1,48 @@
# art service daemon
-type artd, domain;
+type artd, domain, coredomain;
type artd_exec, system_file_type, exec_type, file_type;
+type artd_tmpfs, file_type;
# Allow artd to publish a binder service and make binder calls.
binder_use(artd)
add_service(artd, artd_service)
allow artd dumpstate:fifo_file { getattr write };
-typeattribute artd coredomain;
-
init_daemon_domain(artd)
# Allow query ART device config properties
get_prop(artd, device_config_runtime_native_prop)
get_prop(artd, device_config_runtime_native_boot_prop)
+
+# Access to "odsign.verification.success" for deciding whether to deny files in
+# the ART APEX data directory.
+get_prop(artd, odsign_prop)
+
+# Reading an APK opens a ZipArchive, which unpack to tmpfs.
+# Use tmpfs_domain() which will give tmpfs files created by artd their
+# own label, which differs from other labels created by other processes.
+# This allows to distinguish in policy files created by artd vs other
+# processes.
+tmpfs_domain(artd)
+
+# Allow testing userfaultfd support.
+userfaultfd_use(artd)
+
+# Read access to primary dex'es on writable partitions (e.g., /data/app/...).
+r_dir_file(artd, apk_data_file)
+
+# Read access to /vendor/app.
+r_dir_file(artd, vendor_app_file)
+
+# Read access to all compilation artifacts generated on device for apps' primary
+# dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
+r_dir_file(artd, dalvikcache_data_file)
+
+# Read access to the ART APEX data directory.
+# Needed for reading the boot image generated on device.
+allow artd apex_module_data_file:dir { getattr search };
+r_dir_file(artd, apex_art_data_file)
+
+# Read access to /apex/apex-info-list.xml
+# Needed for getting APEX versions.
+allow artd apex_info_file:file r_file_perms;
diff --git a/private/coredomain.te b/private/coredomain.te
index 56e1730..69367b8 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -50,6 +50,7 @@
neverallow {
coredomain
-appdomain
+ -artd
-dex2oat
-dexoptanalyzer
-idmap
@@ -67,6 +68,7 @@
neverallow {
coredomain
-appdomain
+ -artd
-dex2oat
-dexoptanalyzer
-idmap