Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / ff67b849bf58d9bc6a440c8b8fe0df77d4916a15^! / .
commitff67b849bf58d9bc6a440c8b8fe0df77d4916a15[log] [tgz]
authorJiakai Zhang <jiakaiz@google.com>Fri Sep 23 20:59:42 2022 +0100
committerJiakai Zhang <jiakaiz@google.com>Mon Sep 26 10:47:34 2022 +0000
tree196ff9c49b4173baf32396d0b3e9eefe0429d892
parente6da3b80d139d01ca36a96514dc0a0483b5dfc8d [diff]
Grant artd write permissions on profile directories.

The permissions are needed for profile-guided compilation: when ART
Services compiles an app, it uses the information in current profiles as
one factor to determine which classes and methods to compile.

Since there can be multiple current profiles, in practice, it merges
the current profiles into a "reference profile" and passes that to the
compiler. After the compilation is done successfully, it keeps the
reference profile and deletes current profiles.

This is currently done by installd
(http://cs/android-internal/system/sepolicy/public/installd.te;l=125;rcl=0cbe233cdc361b0976874b2df04392d74245aade),
and we'd like artd to do it.

In addition, we want to make artd work in a more atomic way: If a
reference profile already exists, instead of mutating it in place,
artd creates a temp file next to it, works on the temp file, and
replaces the original file after it's done (or deletes the temp file
if it fails).

Therefore, artd needs the permissions to add/delete/replace profile
files. Otherwise, it will get SELinux denials like:

```
09-23 19:51:37.951  5050  5050 I binder:5050_1: type=1400 audit(0.0:134): avc: denied { write } for name="com.google.android.youtube" dev="dm-52" ino=922 scontext=u:r:artd:s0 tcontext=u:object_r:user_profile_data_file:s0 tclass=dir permissive=1
09-23 19:51:37.951  5050  5050 I binder:5050_1: type=1400 audit(0.0:134): avc: denied { add_name } for name="primary.prof.6mOsV9.tmp" scontext=u:r:artd:s0 tcontext=u:object_r:user_profile_data_file:s0 tclass=dir permissive=1
```

Bug: 248318911
Test: manual -
  1. adb shell pm art optimize-package -m speed-profile \
       com.google.android.youtube
  2. See no SELinux denials like above.
Change-Id: Ib1a914b9a9526a85b69d27970e4b23c4e101c68a

diff --git a/private/artd.te b/private/artd.te
index 58fe6ef..b736665 100644
--- a/private/artd.te
+++ b/private/artd.te

@@ -62,7 +62,7 @@
 allow artd self:global_capability_class_set { dac_override dac_read_search fowner chown };
 
 # Read/write access to profiles (/data/misc/profiles/{ref,cur}/...).
-allow artd user_profile_data_file:dir { getattr search };
+allow artd user_profile_data_file:dir rw_dir_perms;
 allow artd user_profile_data_file:file create_file_perms;
 
 # Never allow running other binaries without a domain transition.