sepolicy: policies for iorap.inode2filename
binary transitions are as follows:
iorapd (fork/exec) -> iorap.cmd.compiler (fork/exec) -> iorap.inode2filename
Bug: 117840092
Test: adb shell cmd jobscheduler run -f android 28367305
Change-Id: I4249fcd37d2c8cbdd0ae1a0505983cce9c7fa7c6
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index bc8508c..f21f28f 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -54,6 +54,10 @@
incremental_service
init_perf_lsm_hooks_prop
init_svc_debug_prop
+ iorap_inode2filename
+ iorap_inode2filename_data_file
+ iorap_inode2filename_exec
+ iorap_inode2filename_tmpfs
iorap_prefetcherd
iorap_prefetcherd_data_file
iorap_prefetcherd_exec
diff --git a/private/coredomain.te b/private/coredomain.te
index 0c84797..32a1e3f 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -58,6 +58,7 @@
-idmap
-init
-installd
+ -iorap_inode2filename
-iorap_prefetcherd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
@@ -77,6 +78,7 @@
-idmap
-init
-installd
+ -iorap_inode2filename
-iorap_prefetcherd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
diff --git a/private/domain.te b/private/domain.te
index f1f1896..f54f2c9 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -162,6 +162,7 @@
-app_zygote
-dexoptanalyzer
-installd
+ -iorap_inode2filename
-iorap_prefetcherd
-profman
-rs # spawned by appdomain, so carryover the exception above
@@ -204,8 +205,8 @@
# that these files cannot be accessed by other domains to ensure that the files
# do not change between system_server staging the files and apexd processing
# the files.
-neverallow { domain -init -system_server -apexd -installd} staging_data_file:dir *;
-neverallow { domain -init -system_app -system_server -apexd -kernel -installd } staging_data_file:file *;
+neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename } staging_data_file:dir *;
+neverallow { domain -init -system_app -system_server -apexd -kernel -installd -iorap_inode2filename } staging_data_file:file *;
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
# except for `link` and `unlink`.
@@ -315,6 +316,7 @@
# this list should be a superset of the one above.
neverallow ~{
dac_override_allowed
+ iorap_inode2filename
iorap_prefetcherd
traced_perf
traced_probes
diff --git a/private/file_contexts b/private/file_contexts
index 4e89ca0..58bae9b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -299,6 +299,7 @@
/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
/system/bin/profman(d)? u:object_r:profman_exec:s0
/system/bin/iorapd u:object_r:iorapd_exec:s0
+/system/bin/iorap\.inode2filename u:object_r:iorap_inode2filename_exec:s0
/system/bin/iorap\.prefetcherd u:object_r:iorap_prefetcherd_exec:s0
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
/system/bin/blkid u:object_r:blkid_exec:s0
diff --git a/private/iorap_inode2filename.te b/private/iorap_inode2filename.te
new file mode 100644
index 0000000..96b7bc2
--- /dev/null
+++ b/private/iorap_inode2filename.te
@@ -0,0 +1,9 @@
+typeattribute iorap_inode2filename coredomain;
+
+# Grant access to open most of the files under /
+allow iorap_inode2filename dalvikcache_data_file:dir { getattr open read search };
+allow iorap_inode2filename dalvikcache_data_file:file { getattr };
+allow iorap_inode2filename dex2oat_exec:lnk_file { getattr open read };
+allow iorap_inode2filename dexoptanalyzer_exec:file { getattr };
+allow iorap_inode2filename storaged_data_file:dir { getattr open read search };
+allow iorap_inode2filename storaged_data_file:file { getattr };
diff --git a/private/iorapd.te b/private/iorapd.te
index 7f9bcee..73acec9 100644
--- a/private/iorapd.te
+++ b/private/iorapd.te
@@ -4,6 +4,7 @@
tmpfs_domain(iorapd)
domain_auto_trans(iorapd, iorap_prefetcherd_exec, iorap_prefetcherd)
+domain_auto_trans(iorapd, iorap_inode2filename_exec, iorap_inode2filename)
# Allow iorapd to access the runtime native boot feature flag properties.
get_prop(iorapd, device_config_runtime_native_boot_prop)