private/artd.te

# art service daemon
type artd, domain, coredomain;
type artd_exec, system_file_type, exec_type, file_type;
type artd_tmpfs, file_type;

# Allow artd to publish a binder service and make binder calls.
binder_use(artd)
add_service(artd, artd_service)
allow artd dumpstate:fifo_file  { getattr write };

init_daemon_domain(artd)

# Allow query ART device config properties
get_prop(artd, device_config_runtime_native_prop)
get_prop(artd, device_config_runtime_native_boot_prop)

# Access to "odsign.verification.success" for deciding whether to deny files in
# the ART APEX data directory.
get_prop(artd, odsign_prop)

# Reading an APK opens a ZipArchive, which unpack to tmpfs.
# Use tmpfs_domain() which will give tmpfs files created by artd their
# own label, which differs from other labels created by other processes.
# This allows to distinguish in policy files created by artd vs other
# processes.
tmpfs_domain(artd)

# Allow testing userfaultfd support.
userfaultfd_use(artd)

# Read access to primary dex'es on writable partitions (e.g., /data/app/...).
r_dir_file(artd, apk_data_file)

# Read access to /vendor/app.
r_dir_file(artd, vendor_app_file)

# Read access to all compilation artifacts generated on device for apps' primary
# dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
r_dir_file(artd, dalvikcache_data_file)

# Read access to the ART APEX data directory.
# Needed for reading the boot image generated on device.
allow artd apex_module_data_file:dir { getattr search };
r_dir_file(artd, apex_art_data_file)

# Read access to /apex/apex-info-list.xml
# Needed for getting APEX versions.
allow artd apex_info_file:file r_file_perms;