Merge changes I04f3b9ea,I81c583b0 into main
* changes:
Remove SELinux rules for dexoptanalyzer.
Add neverallow rules to ensure successful kill by artd.
diff --git a/private/artd.te b/private/artd.te
index e6a6aaa..bc4a7a2 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -4,6 +4,9 @@
type artd_exec, system_file_type, exec_type, file_type;
type artd_tmpfs, file_type;
+# All types of artd subprocesses, which artd can kill.
+attribute artd_subprocess_type;
+
# Allow artd to publish a binder service and make binder calls.
binder_use(artd)
add_service(artd, artd_service)
@@ -131,7 +134,7 @@
domain_auto_trans(artd, dex2oat_exec, dex2oat)
# Allow sending sigkill to subprocesses.
-allow artd { profman dex2oat }:process sigkill;
+allow artd artd_subprocess_type:process sigkill;
# Allow reading process info (/proc/<pid>/...).
# This is needed for getting CPU time and wall time spent on subprocesses.
@@ -159,9 +162,6 @@
domain_auto_trans(artd, derive_classpath_exec, derive_classpath)
domain_auto_trans(artd, odrefresh_exec, odrefresh)
-# Allow sending sigkill to subprocesses.
-allow artd { derive_classpath odrefresh }:process sigkill;
-
# Allow accessing Pre-reboot Dexopt files.
allow artd pre_reboot_dexopt_file:dir { getattr search };
@@ -185,3 +185,15 @@
# Never allow running other binaries without a domain transition.
# The exception for art_exec_exec is explained above.
neverallow artd ~{art_exec_exec}:file execute_no_trans;
+
+# Make sure artd_subprocess_type is complete, in a sense that it includes all
+# types of artd subprocesses.
+neverallow artd ~{artd_subprocess_type crash_dump}:process transition;
+
+# artd uses process groups to manage subprocesses and kill them. To ensure
+# successful kill, we need to prevent subprocesses from changing their
+# process groups or transitioning to other domains.
+# Transitioning crash_dump is allowed because it is transient and is only used
+# upon crashes.
+neverallow artd_subprocess_type self:process setpgid;
+neverallow artd_subprocess_type ~{artd_subprocess_type crash_dump}:process transition;
diff --git a/private/coredomain.te b/private/coredomain.te
index d89e9ca..93cbff5 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -55,7 +55,6 @@
-appdomain
-artd
-dex2oat
- -dexoptanalyzer
-idmap
-init
-installd
@@ -73,7 +72,6 @@
-appdomain
-artd
-dex2oat
- -dexoptanalyzer
-idmap
-init
-installd
@@ -96,7 +94,6 @@
-appdomain
-artd
-dex2oat
- -dexoptanalyzer
-idmap
-init
-installd
@@ -117,7 +114,6 @@
-appdomain
-artd
-dex2oat
- -dexoptanalyzer
-idmap
-init
-installd
diff --git a/private/derive_classpath.te b/private/derive_classpath.te
index 8dd6572..d7c29c2 100644
--- a/private/derive_classpath.te
+++ b/private/derive_classpath.te
@@ -1,6 +1,6 @@
# Domain for derive_classpath
-type derive_classpath, domain, coredomain;
+type derive_classpath, domain, coredomain, artd_subprocess_type;
type derive_classpath_exec, system_file_type, exec_type, file_type;
init_daemon_domain(derive_classpath)
diff --git a/private/dex2oat.te b/private/dex2oat.te
index 18600d8..3a841ce 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -1,5 +1,5 @@
# dex2oat
-type dex2oat, domain, coredomain;
+type dex2oat, domain, coredomain, artd_subprocess_type;
type dex2oat_exec, system_file_type, exec_type, file_type;
userfaultfd_use(dex2oat)
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index ca715c1..4c87f99 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -1,60 +1,3 @@
-# dexoptanalyzer
-type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
+# Deprecated file type for the legacy dexoptanalyzer binary, used by Android T-. We need to keep it
+# for compatibility because the file type is burnt into the apex image.
type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
-type dexoptanalyzer_tmpfs, file_type;
-
-r_dir_file(dexoptanalyzer, apk_data_file)
-# Access to /vendor/app
-r_dir_file(dexoptanalyzer, vendor_app_file)
-
-# Reading an APK opens a ZipArchive, which unpack to tmpfs.
-# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
-# own label, which differs from other labels created by other processes.
-# This allows to distinguish in policy files created by dexoptanalyzer vs other
-# processes.
-tmpfs_domain(dexoptanalyzer)
-
-userfaultfd_use(dexoptanalyzer)
-
-# Allow dexoptanalyzer to read files in the dalvik cache.
-allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
-allow dexoptanalyzer dalvikcache_data_file:file r_file_perms;
-
-# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
-# app_data_file the oat file is symlinked to the original file in /system.
-allow dexoptanalyzer dalvikcache_data_file:lnk_file read;
-
-# Allow dexoptanalyzer to read files in the ART APEX data directory.
-allow dexoptanalyzer { apex_art_data_file apex_module_data_file }:dir { getattr search };
-allow dexoptanalyzer apex_art_data_file:file r_file_perms;
-
-# Allow dexoptanalyzer to use file descriptors from odrefresh.
-allow dexoptanalyzer odrefresh:fd use;
-
-# Use devpts and fd from odsign (which exec()'s odrefresh)
-allow dexoptanalyzer odsign:fd use;
-allow dexoptanalyzer odsign_devpts:chr_file { read write };
-
-allow dexoptanalyzer installd:fd use;
-allow dexoptanalyzer installd:fifo_file { getattr write };
-
-# Acquire advisory lock on /system/framework/arm/*
-allow dexoptanalyzer system_file:file lock;
-
-# Allow reading secondary dex files that were reported by the app to the
-# package manager.
-allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map };
-
-# dexoptanalyzer checks the DM files next to dex files. We don't need this check
-# for secondary dex files, but it's not harmful. Just deny it and ignore it.
-dontaudit dexoptanalyzer { privapp_data_file app_data_file }:dir search;
-
-# Allow testing /data/user/0 which symlinks to /data/data
-allow dexoptanalyzer system_data_file:lnk_file { getattr };
-
-# Allow query ART device config properties
-get_prop(dexoptanalyzer, device_config_runtime_native_prop)
-get_prop(dexoptanalyzer, device_config_runtime_native_boot_prop)
-
-# Allow dexoptanalyzer to read /apex/apex-info-list.xml
-allow dexoptanalyzer apex_info_file:file r_file_perms;
diff --git a/private/domain.te b/private/domain.te
index 4cf9138..94f96d9 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -15,12 +15,12 @@
setsched
getsession
getpgid
- setpgid
getcap
setcap
getattr
setrlimit
};
+allow { domain -artd_subprocess_type } self:process setpgid;
allow domain self:fd use;
allow domain proc:dir r_dir_perms;
allow domain proc_net_type:dir search;
@@ -1633,7 +1633,6 @@
-appdomain
-app_zygote
-artd # compile secondary dex files
- -dexoptanalyzer
-installd
-profman
-rs # spawned by appdomain, so carryover the exception above
diff --git a/private/installd.te b/private/installd.te
index 742c897..55e962a 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -9,9 +9,6 @@
# Run dex2oat in its own sandbox.
domain_auto_trans(installd, dex2oat_exec, dex2oat)
-# Run dexoptanalyzer in its own sandbox.
-domain_auto_trans(installd, dexoptanalyzer_exec, dexoptanalyzer)
-
# Run profman in its own sandbox.
domain_auto_trans(installd, profman_exec, profman)
@@ -44,11 +41,6 @@
allow installd staging_data_file:file unlink;
allow installd staging_data_file:dir { open read add_name remove_name rename rmdir search write getattr };
-allow installd { dex2oat dexoptanalyzer }:process signal;
-
-# installd kills subprocesses if they time out.
-allow installd { dex2oat dexoptanalyzer profman }:process sigkill;
-
# Allow installd manage dirs in /data/misc_ce/0/sdksandbox
allow installd sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom };
diff --git a/private/odrefresh.te b/private/odrefresh.te
index 899b0d9..97205c2 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -1,5 +1,5 @@
# odrefresh
-type odrefresh, domain, coredomain;
+type odrefresh, domain, coredomain, artd_subprocess_type;
type odrefresh_exec, system_file_type, exec_type, file_type;
# Allow odrefresh to create files and directories for on device signing.
@@ -24,12 +24,6 @@
# Allow odrefresh to kill dex2oat if compilation times out.
allow odrefresh dex2oat:process sigkill;
-# Run dexoptanalyzer in its own sandbox.
-domain_auto_trans(odrefresh, dexoptanalyzer_exec, dexoptanalyzer)
-
-# Allow odrefresh to kill dexoptanalyzer if analysis times out.
-allow odrefresh dexoptanalyzer:process sigkill;
-
# Use devpts and fd from odsign (which exec()'s odrefresh)
allow odrefresh odsign_devpts:chr_file { read write };
allow odrefresh odsign:fd use;
diff --git a/private/profman.te b/private/profman.te
index af53646..7071334 100644
--- a/private/profman.te
+++ b/private/profman.te
@@ -1,4 +1,5 @@
typeattribute profman coredomain;
+typeattribute profman artd_subprocess_type;
# Allow profman to read APKs and profile files next to them by FDs passed from
# other programs. In addition, allow profman to acquire flocks on those files.
diff --git a/private/system_server.te b/private/system_server.te
index 436cfa7..1c9f732 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1545,10 +1545,6 @@
# Read /proc/pressure/cpu and /proc/pressure/io
allow system_server { proc_pressure_cpu proc_pressure_io }:file r_file_perms;
-# dexoptanalyzer is currently used only for secondary dex files which
-# system_server should never access.
-neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
-
# No ptracing others
neverallow system_server { domain -system_server }:process ptrace;