| Calin Juravle | e5a1f64 | 2017-01-17 20:31:31 -0800 | [diff] [blame] | 1 | # dexoptanalyzer |
| Alex Klyubin | f5446eb | 2017-03-23 14:27:32 -0700 | [diff] [blame] | 2 | type dexoptanalyzer, domain, coredomain, mlstrustedsubject; |
| Calin Juravle | e5a1f64 | 2017-01-17 20:31:31 -0800 | [diff] [blame] | 3 | type dexoptanalyzer_exec, exec_type, file_type; |
| 4 | |
| 5 | # Reading an APK opens a ZipArchive, which unpack to tmpfs. |
| 6 | # Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their |
| 7 | # own label, which differs from other labels created by other processes. |
| 8 | # This allows to distinguish in policy files created by dexoptanalyzer vs other |
| 9 | #processes. |
| 10 | tmpfs_domain(dexoptanalyzer) |
| 11 | |
| 12 | # Read symlinks in /data/dalvik-cache. This is required for PIC mode boot |
| 13 | # app_data_file the oat file is symlinked to the original file in /system. |
| 14 | allow dexoptanalyzer dalvikcache_data_file:dir { getattr search }; |
| 15 | allow dexoptanalyzer dalvikcache_data_file:file r_file_perms; |
| 16 | allow dexoptanalyzer dalvikcache_data_file:lnk_file read; |
| 17 | |
| 18 | allow dexoptanalyzer installd:fd use; |
| 19 | |
| 20 | # Allow reading secondary dex files that were reported by the app to the |
| 21 | # package manager. |
| 22 | allow dexoptanalyzer app_data_file:dir { getattr search }; |
| 23 | allow dexoptanalyzer app_data_file:file r_file_perms; |
| Jeff Vander Stoep | 06aee35 | 2017-06-26 15:08:37 -0700 | [diff] [blame] | 24 | # dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the |
| 25 | # "dontaudit...audit_access" policy line to suppress the audit access without |
| 26 | # suppressing denial on actual access. |
| 27 | dontaudit dexoptanalyzer app_data_file:dir audit_access; |
| Calin Juravle | e5a1f64 | 2017-01-17 20:31:31 -0800 | [diff] [blame] | 28 | |
| 29 | # Allow testing /data/user/0 which symlinks to /data/data |
| 30 | allow dexoptanalyzer system_data_file:lnk_file { getattr }; |