commit b7a5e7cb8f750be309cd8a601e3be20239213c44
author Jiakai Zhang <jiakaiz@google.com> Wed Jun 08 14:33:34 2022 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Jun 08 14:33:34 2022 +0000
tree 44a9b4514fcef2aca85ebc4cc27803314a216a3e
parent 921af40c4b5960840eae8dd2d6c5f9c20337c0b1
parent 2ce60a69bc36b0aaf7edd0245fab25de09a99c27

Merge "Allow artd to get root capabilities and write to dalvikcache_data_file."

private/artd.te

diff --git a/private/artd.te b/private/artd.te
index 0d26234..4f0db69 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -34,9 +34,10 @@
 # Read access to /vendor/app.
 r_dir_file(artd, vendor_app_file)
 
-# Read access to all compilation artifacts generated on device for apps' primary
-# dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
-r_dir_file(artd, dalvikcache_data_file)
+# Read/write access to all compilation artifacts generated on device for apps'
+# primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
+allow artd dalvikcache_data_file:dir create_dir_perms;
+allow artd dalvikcache_data_file:file create_file_perms;
 
 # Read access to the ART APEX data directory.
 # Needed for reading the boot image generated on device.
@@ -46,3 +47,14 @@
 # Read access to /apex/apex-info-list.xml
 # Needed for getting APEX versions.
 allow artd apex_info_file:file r_file_perms;
+
+# Allow getting root capabilities to bypass permission checks.
+# - "dac_override" and "dac_read_search" are for
+#   - reading secondary dex'es in app data directories (reading primary dex'es
+#     doesn't need root capabilities)
+#   - managing (CRUD) compilation artifacts in both APK directories for primary
+#     dex'es and in app data directories for secondary dex'es
+#   - managing (CRUD) profile files for both primary dex'es and secondary dex'es
+# - "fowner" is for adjusting the file permissions of compilation artifacts and
+#   profile files based on whether they include user data or not.
+allow artd self:global_capability_class_set { dac_override dac_read_search fowner };

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index 5f369e3..af50226 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -303,6 +303,7 @@
   -cppreopts
   -dex2oat
   -otapreopt_slot
+  -artd
 } dalvikcache_data_file:file no_w_file_perms;
 
 neverallow {
@@ -314,6 +315,7 @@
   -dex2oat
   -zygote
   -otapreopt_slot
+  -artd
 } dalvikcache_data_file:dir no_w_dir_perms;
 
 # Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it
@@ -361,6 +363,7 @@
 # a Unix group or change the permissions of a file.
 define(`dac_override_allowed', `{
   apexd
+  artd
   dnsmasq
   dumpstate
   init