| Calin Juravle | e5a1f64 | 2017-01-17 20:31:31 -0800 | [diff] [blame] | 1 | # dexoptanalyzer |
| Alex Klyubin | f5446eb | 2017-03-23 14:27:32 -0700 | [diff] [blame] | 2 | type dexoptanalyzer, domain, coredomain, mlstrustedsubject; |
| Nick Kralevich | 5e37271 | 2018-09-27 10:21:37 -0700 | [diff] [blame] | 3 | type dexoptanalyzer_exec, system_file_type, exec_type, file_type; |
| Jeff Vander Stoep | 41a2abf | 2019-01-23 15:07:40 -0800 | [diff] [blame] | 4 | type dexoptanalyzer_tmpfs, file_type; |
| Calin Juravle | e5a1f64 | 2017-01-17 20:31:31 -0800 | [diff] [blame] | 5 | |
| Calin Juravle | de7244c | 2020-07-13 18:53:38 -0700 | [diff] [blame] | 6 | r_dir_file(dexoptanalyzer, apk_data_file) |
| 7 | # Access to /vendor/app |
| 8 | r_dir_file(dexoptanalyzer, vendor_app_file) |
| 9 | |
| Calin Juravle | e5a1f64 | 2017-01-17 20:31:31 -0800 | [diff] [blame] | 10 | # Reading an APK opens a ZipArchive, which unpack to tmpfs. |
| 11 | # Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their |
| 12 | # own label, which differs from other labels created by other processes. |
| 13 | # This allows to distinguish in policy files created by dexoptanalyzer vs other |
| Alan Stokes | f41d4d7 | 2020-09-22 15:43:17 +0100 | [diff] [blame] | 14 | # processes. |
| Calin Juravle | e5a1f64 | 2017-01-17 20:31:31 -0800 | [diff] [blame] | 15 | tmpfs_domain(dexoptanalyzer) |
| 16 | |
| Orion Hodson | 8f75f76 | 2020-10-16 15:29:55 +0100 | [diff] [blame] | 17 | # Allow dexoptanalyzer to read files in the dalvik cache. |
| Calin Juravle | e5a1f64 | 2017-01-17 20:31:31 -0800 | [diff] [blame] | 18 | allow dexoptanalyzer dalvikcache_data_file:dir { getattr search }; |
| 19 | allow dexoptanalyzer dalvikcache_data_file:file r_file_perms; |
| Orion Hodson | 8f75f76 | 2020-10-16 15:29:55 +0100 | [diff] [blame] | 20 | |
| 21 | # Read symlinks in /data/dalvik-cache. This is required for PIC mode boot |
| 22 | # app_data_file the oat file is symlinked to the original file in /system. |
| Calin Juravle | e5a1f64 | 2017-01-17 20:31:31 -0800 | [diff] [blame] | 23 | allow dexoptanalyzer dalvikcache_data_file:lnk_file read; |
| 24 | |
| Orion Hodson | 8f75f76 | 2020-10-16 15:29:55 +0100 | [diff] [blame] | 25 | # Allow dexoptanalyzer to read files in the ART APEX data directory. |
| 26 | allow dexoptanalyzer { apex_art_data_file apex_module_data_file }:dir { getattr search }; |
| 27 | allow dexoptanalyzer apex_art_data_file:file r_file_perms; |
| 28 | |
| 29 | # Allow dexoptanalyzer to use file descriptors from odrefresh. |
| 30 | allow dexoptanalyzer odrefresh:fd use; |
| 31 | |
| Martijn Coenen | 6badc7f | 2021-02-19 09:52:15 +0100 | [diff] [blame] | 32 | # Use devpts and fd from odsign (which exec()'s odrefresh) |
| 33 | allow dexoptanalyzer odsign:fd use; |
| 34 | allow dexoptanalyzer odsign_devpts:chr_file { read write }; |
| 35 | |
| Calin Juravle | e5a1f64 | 2017-01-17 20:31:31 -0800 | [diff] [blame] | 36 | allow dexoptanalyzer installd:fd use; |
| David Brazdil | 246efa2 | 2019-03-19 13:57:26 +0000 | [diff] [blame] | 37 | allow dexoptanalyzer installd:fifo_file { getattr write }; |
| Calin Juravle | e5a1f64 | 2017-01-17 20:31:31 -0800 | [diff] [blame] | 38 | |
| Roland Levillain | 47c7f84 | 2019-08-06 14:51:01 +0100 | [diff] [blame] | 39 | # Acquire advisory lock on /system/framework/arm/* |
| 40 | allow dexoptanalyzer system_file:file lock; |
| 41 | |
| Calin Juravle | e5a1f64 | 2017-01-17 20:31:31 -0800 | [diff] [blame] | 42 | # Allow reading secondary dex files that were reported by the app to the |
| 43 | # package manager. |
| Roland Levillain | c72b7d1 | 2019-08-16 19:56:03 +0100 | [diff] [blame] | 44 | allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map }; |
| Calin Juravle | e5a1f64 | 2017-01-17 20:31:31 -0800 | [diff] [blame] | 45 | |
| 46 | # Allow testing /data/user/0 which symlinks to /data/data |
| 47 | allow dexoptanalyzer system_data_file:lnk_file { getattr }; |