| Calin Juravle | e5a1f64 | 2017-01-17 20:31:31 -0800 | [diff] [blame] | 1 | # dexoptanalyzer |
| Alex Klyubin | f5446eb | 2017-03-23 14:27:32 -0700 | [diff] [blame] | 2 | type dexoptanalyzer, domain, coredomain, mlstrustedsubject; |
| Nick Kralevich | 5e37271 | 2018-09-27 10:21:37 -0700 | [diff] [blame] | 3 | type dexoptanalyzer_exec, system_file_type, exec_type, file_type; |
| Jeff Vander Stoep | 41a2abf | 2019-01-23 15:07:40 -0800 | [diff] [blame] | 4 | type dexoptanalyzer_tmpfs, file_type; |
| Calin Juravle | e5a1f64 | 2017-01-17 20:31:31 -0800 | [diff] [blame] | 5 | |
| Calin Juravle | de7244c | 2020-07-13 18:53:38 -0700 | [diff] [blame^] | 6 | r_dir_file(dexoptanalyzer, apk_data_file) |
| 7 | # Access to /vendor/app |
| 8 | r_dir_file(dexoptanalyzer, vendor_app_file) |
| 9 | |
| Calin Juravle | e5a1f64 | 2017-01-17 20:31:31 -0800 | [diff] [blame] | 10 | # Reading an APK opens a ZipArchive, which unpack to tmpfs. |
| 11 | # Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their |
| 12 | # own label, which differs from other labels created by other processes. |
| 13 | # This allows to distinguish in policy files created by dexoptanalyzer vs other |
| 14 | #processes. |
| 15 | tmpfs_domain(dexoptanalyzer) |
| 16 | |
| 17 | # Read symlinks in /data/dalvik-cache. This is required for PIC mode boot |
| 18 | # app_data_file the oat file is symlinked to the original file in /system. |
| 19 | allow dexoptanalyzer dalvikcache_data_file:dir { getattr search }; |
| 20 | allow dexoptanalyzer dalvikcache_data_file:file r_file_perms; |
| 21 | allow dexoptanalyzer dalvikcache_data_file:lnk_file read; |
| 22 | |
| 23 | allow dexoptanalyzer installd:fd use; |
| David Brazdil | 246efa2 | 2019-03-19 13:57:26 +0000 | [diff] [blame] | 24 | allow dexoptanalyzer installd:fifo_file { getattr write }; |
| Calin Juravle | e5a1f64 | 2017-01-17 20:31:31 -0800 | [diff] [blame] | 25 | |
| Roland Levillain | 47c7f84 | 2019-08-06 14:51:01 +0100 | [diff] [blame] | 26 | # Acquire advisory lock on /system/framework/arm/* |
| 27 | allow dexoptanalyzer system_file:file lock; |
| 28 | |
| Calin Juravle | e5a1f64 | 2017-01-17 20:31:31 -0800 | [diff] [blame] | 29 | # Allow reading secondary dex files that were reported by the app to the |
| 30 | # package manager. |
| Nick Kralevich | 23c9d91 | 2018-08-02 15:54:23 -0700 | [diff] [blame] | 31 | allow dexoptanalyzer { privapp_data_file app_data_file }:dir { getattr search }; |
| Roland Levillain | c72b7d1 | 2019-08-16 19:56:03 +0100 | [diff] [blame] | 32 | allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map }; |
| Jeff Vander Stoep | 06aee35 | 2017-06-26 15:08:37 -0700 | [diff] [blame] | 33 | # dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the |
| 34 | # "dontaudit...audit_access" policy line to suppress the audit access without |
| 35 | # suppressing denial on actual access. |
| Nick Kralevich | 23c9d91 | 2018-08-02 15:54:23 -0700 | [diff] [blame] | 36 | dontaudit dexoptanalyzer { privapp_data_file app_data_file }:dir audit_access; |
| Calin Juravle | e5a1f64 | 2017-01-17 20:31:31 -0800 | [diff] [blame] | 37 | |
| 38 | # Allow testing /data/user/0 which symlinks to /data/data |
| 39 | allow dexoptanalyzer system_data_file:lnk_file { getattr }; |