Update SELinux policy for app compilation CUJ.
- Adapt installd rules for app compilation.
- Add profman rules for checking the profile before compilation. This is new behavior compared to installd.
Bug: 229268202
Test: -
1. adb shell pm art optimize-package -m speed-profile -f \
com.google.android.youtube
2. See no SELinux denial.
Change-Id: Idfe1ccdb1b27fd275fdf912bc8d005551f89d4fc
diff --git a/private/artd.te b/private/artd.te
index 4f0db69..dc6855e 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -1,5 +1,5 @@
-# art service daemon
-type artd, domain, coredomain;
+# ART service daemon.
+typeattribute artd coredomain;
type artd_exec, system_file_type, exec_type, file_type;
type artd_tmpfs, file_type;
@@ -57,4 +57,23 @@
# - managing (CRUD) profile files for both primary dex'es and secondary dex'es
# - "fowner" is for adjusting the file permissions of compilation artifacts and
# profile files based on whether they include user data or not.
-allow artd self:global_capability_class_set { dac_override dac_read_search fowner };
+# - "chown" is for transferring the ownership of compilation artifacts and
+# profile files to the system or apps.
+allow artd self:global_capability_class_set { dac_override dac_read_search fowner chown };
+
+# Read/write access to profiles (/data/misc/profiles/{ref,cur}/...).
+allow artd user_profile_data_file:dir { getattr search };
+allow artd user_profile_data_file:file create_file_perms;
+
+# Never allow running other binaries without a domain transition.
+# The only exception is art_exec. It is allowed to use the artd domain because
+# it is a thin wrapper that executes other binaries on behalf of artd.
+neverallow artd ~{art_exec_exec}:file execute_no_trans;
+allow artd art_exec_exec:file rx_file_perms;
+
+# Allow running other binaries in their own domains.
+domain_auto_trans(artd, profman_exec, profman)
+domain_auto_trans(artd, dex2oat_exec, dex2oat)
+
+# Allow sending sigkill to subprocesses.
+allow artd { profman dex2oat }:process sigkill;