private/profman.te

typeattribute profman coredomain;
typeattribute profman artd_subprocess_type;

# Allow profman to read APKs and profile files next to them by FDs passed from
# other programs. In addition, allow profman to acquire flocks on those files.
allow profman {
  system_file
  apk_data_file
  vendor_app_file
}:file { getattr read map lock };

# Allow profman to use file descriptors passed from privileged programs.
allow profman { artd installd }:fd use;

# Allow profman to read from memfd created by artd.
# profman needs to read the embedded profile that artd extracts from an APK,
# which is passed by a memfd.
allow profman artd_tmpfs:file { getattr read map lock };

allow profman user_profile_data_file:file { getattr read write lock map };

# Dumping profile info opens the application APK file for pretty printing.
allow profman asec_apk_file:file { read map };
allow profman apk_data_file:file { getattr read map };
allow profman apk_data_file:dir { getattr read search };

allow profman oemfs:file { read map };
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
allow profman tmpfs:file { read map };
allow profman profman_dump_data_file:file { write map };

# Allow profman to analyze profiles for the secondary dex files. These
# are application dex files reported back to the framework when using
# BaseDexClassLoader.
allow profman { privapp_data_file app_data_file }:file { getattr read write lock map };
allow profman { privapp_data_file app_data_file }:dir { getattr read search };

# Allow query ART device config properties
get_prop(profman, device_config_runtime_native_prop)
get_prop(profman, device_config_runtime_native_boot_prop)

###
### neverallow rules
###

neverallow profman app_data_file_type:notdevfile_class_set open;