| Jiakai Zhang | c871c1c | 2022-07-19 21:29:31 +0100 | [diff] [blame] | 1 | # ART service daemon. |
| 2 | typeattribute artd coredomain; |
| Jiakai Zhang | 28e69a4 | 2022-09-23 22:37:59 +0100 | [diff] [blame] | 3 | typeattribute artd mlstrustedsubject; |
| Chris Wailes | 467d8a8 | 2021-03-03 12:30:28 -0800 | [diff] [blame] | 4 | type artd_exec, system_file_type, exec_type, file_type; |
| Jiakai Zhang | 76bfb7e | 2022-05-26 13:55:33 +0100 | [diff] [blame] | 5 | type artd_tmpfs, file_type; |
| Chris Wailes | 467d8a8 | 2021-03-03 12:30:28 -0800 | [diff] [blame] | 6 | |
| 7 | # Allow artd to publish a binder service and make binder calls. |
| 8 | binder_use(artd) |
| 9 | add_service(artd, artd_service) |
| Jiakai Zhang | 817c49f | 2023-10-18 17:03:20 +0100 | [diff] [blame^] | 10 | add_service(artd, artd_pre_reboot_service) |
| ThiƩbaud Weksteen | 8a250b9 | 2023-08-24 10:37:17 +1000 | [diff] [blame] | 11 | allow artd dumpstate:fifo_file { getattr write }; |
| 12 | allow artd dumpstate:fd use; |
| Chris Wailes | 467d8a8 | 2021-03-03 12:30:28 -0800 | [diff] [blame] | 13 | |
| Chris Wailes | 467d8a8 | 2021-03-03 12:30:28 -0800 | [diff] [blame] | 14 | init_daemon_domain(artd) |
| Calin Juravle | 0b2ca6c | 2021-05-18 15:33:08 -0700 | [diff] [blame] | 15 | |
| 16 | # Allow query ART device config properties |
| 17 | get_prop(artd, device_config_runtime_native_prop) |
| 18 | get_prop(artd, device_config_runtime_native_boot_prop) |
| Jiakai Zhang | 76bfb7e | 2022-05-26 13:55:33 +0100 | [diff] [blame] | 19 | |
| 20 | # Access to "odsign.verification.success" for deciding whether to deny files in |
| 21 | # the ART APEX data directory. |
| 22 | get_prop(artd, odsign_prop) |
| 23 | |
| 24 | # Reading an APK opens a ZipArchive, which unpack to tmpfs. |
| 25 | # Use tmpfs_domain() which will give tmpfs files created by artd their |
| 26 | # own label, which differs from other labels created by other processes. |
| 27 | # This allows to distinguish in policy files created by artd vs other |
| 28 | # processes. |
| 29 | tmpfs_domain(artd) |
| 30 | |
| 31 | # Allow testing userfaultfd support. |
| 32 | userfaultfd_use(artd) |
| 33 | |
| Jiakai Zhang | 5e53105 | 2022-12-12 14:28:40 +0000 | [diff] [blame] | 34 | # Read access to primary dex'es on writable partitions |
| 35 | # ({/data,/mnt/expand/<volume-uuid>}/app/...). |
| Jiakai Zhang | 7789460 | 2023-01-17 16:57:03 +0800 | [diff] [blame] | 36 | # Also allow creating the "oat" directory before restorecon. |
| Jiakai Zhang | 5e53105 | 2022-12-12 14:28:40 +0000 | [diff] [blame] | 37 | allow artd mnt_expand_file:dir { getattr search }; |
| Jiakai Zhang | 7789460 | 2023-01-17 16:57:03 +0800 | [diff] [blame] | 38 | allow artd apk_data_file:dir { rw_dir_perms create setattr relabelfrom }; |
| 39 | allow artd apk_data_file:file r_file_perms; |
| Jiakai Zhang | 76bfb7e | 2022-05-26 13:55:33 +0100 | [diff] [blame] | 40 | |
| Jiakai Zhang | 5e53105 | 2022-12-12 14:28:40 +0000 | [diff] [blame] | 41 | # Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...). |
| Jiakai Zhang | 76bfb7e | 2022-05-26 13:55:33 +0100 | [diff] [blame] | 42 | r_dir_file(artd, vendor_app_file) |
| 43 | |
| Jooyung Han | 7c4f8a8 | 2023-06-09 13:26:54 +0900 | [diff] [blame] | 44 | # Read access to vendor overlay APKs ({/vendor,/odm,/oem,/apex/*}/overlay/...). |
| Jiakai Zhang | 5e53105 | 2022-12-12 14:28:40 +0000 | [diff] [blame] | 45 | allow artd oemfs:dir { getattr search }; |
| 46 | r_dir_file(artd, vendor_overlay_file) |
| Jooyung Han | 7c4f8a8 | 2023-06-09 13:26:54 +0900 | [diff] [blame] | 47 | # Vendor overlay can be found in vendor apex |
| 48 | allow artd vendor_apex_metadata_file:dir { getattr search }; |
| Jiakai Zhang | 5e53105 | 2022-12-12 14:28:40 +0000 | [diff] [blame] | 49 | |
| 50 | # Read access to vendor shared libraries ({/vendor,/odm}/framework/...). |
| 51 | r_dir_file(artd, vendor_framework_file) |
| 52 | |
| Jiakai Zhang | 2ce60a6 | 2022-06-07 15:20:58 +0100 | [diff] [blame] | 53 | # Read/write access to all compilation artifacts generated on device for apps' |
| 54 | # primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.) |
| Jiakai Zhang | 7789460 | 2023-01-17 16:57:03 +0800 | [diff] [blame] | 55 | allow artd dalvikcache_data_file:dir { create_dir_perms relabelto }; |
| 56 | allow artd dalvikcache_data_file:file { create_file_perms relabelto }; |
| Jiakai Zhang | 76bfb7e | 2022-05-26 13:55:33 +0100 | [diff] [blame] | 57 | |
| 58 | # Read access to the ART APEX data directory. |
| 59 | # Needed for reading the boot image generated on device. |
| 60 | allow artd apex_module_data_file:dir { getattr search }; |
| 61 | r_dir_file(artd, apex_art_data_file) |
| 62 | |
| 63 | # Read access to /apex/apex-info-list.xml |
| 64 | # Needed for getting APEX versions. |
| 65 | allow artd apex_info_file:file r_file_perms; |
| Jiakai Zhang | 2ce60a6 | 2022-06-07 15:20:58 +0100 | [diff] [blame] | 66 | |
| 67 | # Allow getting root capabilities to bypass permission checks. |
| 68 | # - "dac_override" and "dac_read_search" are for |
| 69 | # - reading secondary dex'es in app data directories (reading primary dex'es |
| 70 | # doesn't need root capabilities) |
| 71 | # - managing (CRUD) compilation artifacts in both APK directories for primary |
| 72 | # dex'es and in app data directories for secondary dex'es |
| 73 | # - managing (CRUD) profile files for both primary dex'es and secondary dex'es |
| 74 | # - "fowner" is for adjusting the file permissions of compilation artifacts and |
| 75 | # profile files based on whether they include user data or not. |
| Jiakai Zhang | c871c1c | 2022-07-19 21:29:31 +0100 | [diff] [blame] | 76 | # - "chown" is for transferring the ownership of compilation artifacts and |
| 77 | # profile files to the system or apps. |
| 78 | allow artd self:global_capability_class_set { dac_override dac_read_search fowner chown }; |
| 79 | |
| Jiakai Zhang | 440ae78 | 2022-12-23 16:24:14 +0000 | [diff] [blame] | 80 | # Read/write access to profiles (/data/misc/profiles/{ref,cur}/...). Also allow |
| 81 | # scanning /data/misc/profiles/cur, for cleaning up obsolete managed files. |
| 82 | allow artd user_profile_root_file:dir r_dir_perms; |
| Jiakai Zhang | ff67b84 | 2022-09-23 20:59:42 +0100 | [diff] [blame] | 83 | allow artd user_profile_data_file:dir rw_dir_perms; |
| Jiakai Zhang | c871c1c | 2022-07-19 21:29:31 +0100 | [diff] [blame] | 84 | allow artd user_profile_data_file:file create_file_perms; |
| 85 | |
| Jiakai Zhang | 2ffeca7 | 2022-10-21 17:03:56 +0100 | [diff] [blame] | 86 | # Read/write access to secondary dex files, their profiles, and their |
| 87 | # compilation artifacts |
| 88 | # ({/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id>/<package-name>/...). |
| 89 | allow artd app_data_file_type:dir { create_dir_perms relabelfrom relabelto }; |
| 90 | allow artd app_data_file_type:file { create_file_perms relabelfrom relabelto }; |
| 91 | |
| Jiakai Zhang | 6834597 | 2022-12-12 14:34:50 +0000 | [diff] [blame] | 92 | # Allow symlinks for secondary dex files. This has be to restricted because |
| 93 | # symlinks can cause various security issues. We allow "privapp_data_file" just |
| 94 | # for GMS because so far we only see GMS using symlinks. |
| 95 | allow artd privapp_data_file:lnk_file { getattr read }; |
| 96 | |
| Jiakai Zhang | d7f8119 | 2022-12-12 13:45:13 +0000 | [diff] [blame] | 97 | # Read access to SELinux context files, for restorecon. |
| 98 | allow artd file_contexts_file:file r_file_perms; |
| 99 | allow artd seapp_contexts_file:file r_file_perms; |
| 100 | |
| 101 | # Check validity of SELinux context, for restorecon. |
| 102 | selinux_check_context(artd) |
| 103 | |
| Jiakai Zhang | 440ae78 | 2022-12-23 16:24:14 +0000 | [diff] [blame] | 104 | # Allow scanning /, for cleaning up obsolete managed files. |
| 105 | allow artd rootfs:dir r_dir_perms; |
| 106 | |
| 107 | # Allow scanning /data, for cleaning up obsolete managed files. |
| 108 | allow artd system_data_root_file:dir r_dir_perms; |
| 109 | |
| 110 | # Allow scanning /mnt, for cleaning up obsolete managed files. |
| 111 | allow artd tmpfs:dir r_dir_perms; |
| 112 | |
| 113 | # Allow scanning /mnt/expand, for cleaning up obsolete managed files. |
| 114 | allow artd mnt_expand_file:dir r_dir_perms; |
| 115 | |
| 116 | # Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}, for cleaning |
| 117 | # up obsolete managed files. |
| 118 | allow artd system_userdir_file:dir r_dir_perms; |
| 119 | |
| 120 | # Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id> and |
| 121 | # /mnt/expand/<volume-uuid>, for cleaning up obsolete managed files. |
| 122 | allow artd system_data_file:dir r_dir_perms; |
| 123 | |
| Jiakai Zhang | c871c1c | 2022-07-19 21:29:31 +0100 | [diff] [blame] | 124 | # Never allow running other binaries without a domain transition. |
| 125 | # The only exception is art_exec. It is allowed to use the artd domain because |
| 126 | # it is a thin wrapper that executes other binaries on behalf of artd. |
| 127 | neverallow artd ~{art_exec_exec}:file execute_no_trans; |
| 128 | allow artd art_exec_exec:file rx_file_perms; |
| 129 | |
| 130 | # Allow running other binaries in their own domains. |
| 131 | domain_auto_trans(artd, profman_exec, profman) |
| 132 | domain_auto_trans(artd, dex2oat_exec, dex2oat) |
| 133 | |
| 134 | # Allow sending sigkill to subprocesses. |
| 135 | allow artd { profman dex2oat }:process sigkill; |
| Jiakai Zhang | 88e5583 | 2022-09-07 23:52:09 +0100 | [diff] [blame] | 136 | |
| 137 | # Allow reading process info (/proc/<pid>/...). |
| 138 | # This is needed for getting CPU time and wall time spent on subprocesses. |
| 139 | r_dir_file(artd, profman); |
| 140 | r_dir_file(artd, dex2oat); |
| Jiakai Zhang | 4d70f0b | 2023-10-13 18:26:56 +0000 | [diff] [blame] | 141 | |
| 142 | # Allow artd to reopen its own memfd. |
| 143 | # artd needs to reopen a memfd with readonly in order to pass it to subprocesses |
| 144 | # that don't have write permissions on memfds. |
| 145 | allow artd artd_tmpfs:file open; |