Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / refs/heads/android-16 / . / private / artd.te
blob: b3f1e5a4466009fac06b5c28725538e7b9c818df [file] [log] [blame]
Jiakai Zhangc871c1c2022-07-19 21:29:31 +0100[diff] [blame]1# ART service daemon.
2typeattribute artd coredomain;
Jiakai Zhang28e69a42022-09-23 22:37:59 +0100[diff] [blame]3typeattribute artd mlstrustedsubject;
Chris Wailes467d8a82021-03-03 12:30:28 -0800[diff] [blame]4type artd_exec, system_file_type, exec_type, file_type;
Jiakai Zhang76bfb7e2022-05-26 13:55:33 +0100[diff] [blame]5type artd_tmpfs, file_type;
Chris Wailes467d8a82021-03-03 12:30:28 -0800[diff] [blame]6
Jiakai Zhangf7dcc532024-07-04 15:59:49 +0100[diff] [blame]7# All types of artd subprocesses, which artd can kill.
8attribute artd_subprocess_type;
9
Chris Wailes467d8a82021-03-03 12:30:28 -0800[diff] [blame]10# Allow artd to publish a binder service and make binder calls.
11binder_use(artd)
12add_service(artd, artd_service)
Jiakai Zhang817c49f2023-10-18 17:03:20 +0100[diff] [blame]13add_service(artd, artd_pre_reboot_service)
ThiƩbaud Weksteen8a250b92023-08-24 10:37:17 +1000[diff] [blame]14allow artd dumpstate:fifo_file { getattr write };
15allow artd dumpstate:fd use;
Chris Wailes467d8a82021-03-03 12:30:28 -0800[diff] [blame]16
Chris Wailes467d8a82021-03-03 12:30:28 -0800[diff] [blame]17init_daemon_domain(artd)
Calin Juravle0b2ca6c2021-05-18 15:33:08 -0700[diff] [blame]18
19# Allow query ART device config properties
20get_prop(artd, device_config_runtime_native_prop)
21get_prop(artd, device_config_runtime_native_boot_prop)
Jiakai Zhang76bfb7e2022-05-26 13:55:33 +0100[diff] [blame]22
23# Access to "odsign.verification.success" for deciding whether to deny files in
24# the ART APEX data directory.
25get_prop(artd, odsign_prop)
26
27# Reading an APK opens a ZipArchive, which unpack to tmpfs.
28# Use tmpfs_domain() which will give tmpfs files created by artd their
29# own label, which differs from other labels created by other processes.
30# This allows to distinguish in policy files created by artd vs other
31# processes.
32tmpfs_domain(artd)
33
34# Allow testing userfaultfd support.
35userfaultfd_use(artd)
36
Jiakai Zhang5e531052022-12-12 14:28:40 +0000[diff] [blame]37# Read access to primary dex'es on writable partitions
38# ({/data,/mnt/expand/<volume-uuid>}/app/...).
Jiakai Zhang77894602023-01-17 16:57:03 +0800[diff] [blame]39# Also allow creating the "oat" directory before restorecon.
Jiakai Zhang8772b2e2025-03-14 11:21:11 -0700[diff] [blame]40# Also allow deleting .sdm files.
Jiakai Zhang5e531052022-12-12 14:28:40 +0000[diff] [blame]41allow artd mnt_expand_file:dir { getattr search };
Jiakai Zhang77894602023-01-17 16:57:03 +0800[diff] [blame]42allow artd apk_data_file:dir { rw_dir_perms create setattr relabelfrom };
Jiakai Zhang8772b2e2025-03-14 11:21:11 -0700[diff] [blame]43allow artd apk_data_file:file { r_file_perms unlink };
TYM Tsaie6cc2d42024-08-27 10:33:42 +0800[diff] [blame]44allow artd apk_tmp_file:dir { rw_dir_perms create setattr relabelfrom };
Jiakai Zhang8772b2e2025-03-14 11:21:11 -0700[diff] [blame]45allow artd apk_tmp_file:file { r_file_perms unlink };
Jiakai Zhang76bfb7e2022-05-26 13:55:33 +0100[diff] [blame]46
Jiakai Zhang5e531052022-12-12 14:28:40 +0000[diff] [blame]47# Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
Jiakai Zhang76bfb7e2022-05-26 13:55:33 +0100[diff] [blame]48r_dir_file(artd, vendor_app_file)
49
Jooyung Han7c4f8a82023-06-09 13:26:54 +0900[diff] [blame]50# Read access to vendor overlay APKs ({/vendor,/odm,/oem,/apex/*}/overlay/...).
Jiakai Zhang5e531052022-12-12 14:28:40 +0000[diff] [blame]51allow artd oemfs:dir { getattr search };
52r_dir_file(artd, vendor_overlay_file)
Jooyung Han7c4f8a82023-06-09 13:26:54 +0900[diff] [blame]53# Vendor overlay can be found in vendor apex
54allow artd vendor_apex_metadata_file:dir { getattr search };
Jiakai Zhang5e531052022-12-12 14:28:40 +0000[diff] [blame]55
56# Read access to vendor shared libraries ({/vendor,/odm}/framework/...).
57r_dir_file(artd, vendor_framework_file)
58
Jiakai Zhang2ce60a62022-06-07 15:20:58 +0100[diff] [blame]59# Read/write access to all compilation artifacts generated on device for apps'
60# primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
Jiakai Zhang77894602023-01-17 16:57:03 +0800[diff] [blame]61allow artd dalvikcache_data_file:dir { create_dir_perms relabelto };
62allow artd dalvikcache_data_file:file { create_file_perms relabelto };
Jiakai Zhang76bfb7e2022-05-26 13:55:33 +0100[diff] [blame]63
64# Read access to the ART APEX data directory.
65# Needed for reading the boot image generated on device.
66allow artd apex_module_data_file:dir { getattr search };
67r_dir_file(artd, apex_art_data_file)
68
69# Read access to /apex/apex-info-list.xml
70# Needed for getting APEX versions.
71allow artd apex_info_file:file r_file_perms;
Jiakai Zhang2ce60a62022-06-07 15:20:58 +0100[diff] [blame]72
73# Allow getting root capabilities to bypass permission checks.
74# - "dac_override" and "dac_read_search" are for
75# - reading secondary dex'es in app data directories (reading primary dex'es
76# doesn't need root capabilities)
77# - managing (CRUD) compilation artifacts in both APK directories for primary
78# dex'es and in app data directories for secondary dex'es
79# - managing (CRUD) profile files for both primary dex'es and secondary dex'es
80# - "fowner" is for adjusting the file permissions of compilation artifacts and
81# profile files based on whether they include user data or not.
Jiakai Zhangc871c1c2022-07-19 21:29:31 +0100[diff] [blame]82# - "chown" is for transferring the ownership of compilation artifacts and
83# profile files to the system or apps.
84allow artd self:global_capability_class_set { dac_override dac_read_search fowner chown };
85
Jiakai Zhang440ae782022-12-23 16:24:14 +0000[diff] [blame]86# Read/write access to profiles (/data/misc/profiles/{ref,cur}/...). Also allow
87# scanning /data/misc/profiles/cur, for cleaning up obsolete managed files.
88allow artd user_profile_root_file:dir r_dir_perms;
Jiakai Zhangff67b842022-09-23 20:59:42 +0100[diff] [blame]89allow artd user_profile_data_file:dir rw_dir_perms;
Jiakai Zhangc871c1c2022-07-19 21:29:31 +0100[diff] [blame]90allow artd user_profile_data_file:file create_file_perms;
91
Jiakai Zhang2ffeca72022-10-21 17:03:56 +0100[diff] [blame]92# Read/write access to secondary dex files, their profiles, and their
93# compilation artifacts
94# ({/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id>/<package-name>/...).
95allow artd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
96allow artd app_data_file_type:file { create_file_perms relabelfrom relabelto };
97
Jiakai Zhang68345972022-12-12 14:34:50 +0000[diff] [blame]98# Allow symlinks for secondary dex files. This has be to restricted because
99# symlinks can cause various security issues. We allow "privapp_data_file" just
100# for GMS because so far we only see GMS using symlinks.
101allow artd privapp_data_file:lnk_file { getattr read };
102
Jiakai Zhangd7f81192022-12-12 13:45:13 +0000[diff] [blame]103# Read access to SELinux context files, for restorecon.
104allow artd file_contexts_file:file r_file_perms;
105allow artd seapp_contexts_file:file r_file_perms;
106
107# Check validity of SELinux context, for restorecon.
108selinux_check_context(artd)
109
Jiakai Zhang440ae782022-12-23 16:24:14 +0000[diff] [blame]110# Allow scanning /, for cleaning up obsolete managed files.
111allow artd rootfs:dir r_dir_perms;
112
113# Allow scanning /data, for cleaning up obsolete managed files.
114allow artd system_data_root_file:dir r_dir_perms;
115
116# Allow scanning /mnt, for cleaning up obsolete managed files.
117allow artd tmpfs:dir r_dir_perms;
118
119# Allow scanning /mnt/expand, for cleaning up obsolete managed files.
120allow artd mnt_expand_file:dir r_dir_perms;
121
122# Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}, for cleaning
123# up obsolete managed files.
124allow artd system_userdir_file:dir r_dir_perms;
125
126# Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id> and
127# /mnt/expand/<volume-uuid>, for cleaning up obsolete managed files.
128allow artd system_data_file:dir r_dir_perms;
129
Jiakai Zhang4acd0732024-03-20 11:24:54 +0000[diff] [blame]130# Allow art_exec_exec to use the artd domain because it is a thin wrapper that
131# executes other binaries on behalf of artd. Domain transition will take place
132# as soon as art_exec_exec executes other binaries.
Jiakai Zhangc871c1c2022-07-19 21:29:31 +0100[diff] [blame]133allow artd art_exec_exec:file rx_file_perms;
134
135# Allow running other binaries in their own domains.
136domain_auto_trans(artd, profman_exec, profman)
137domain_auto_trans(artd, dex2oat_exec, dex2oat)
138
139# Allow sending sigkill to subprocesses.
Jiakai Zhangf7dcc532024-07-04 15:59:49 +0100[diff] [blame]140allow artd artd_subprocess_type:process sigkill;
Jiakai Zhang88e55832022-09-07 23:52:09 +0100[diff] [blame]141
142# Allow reading process info (/proc/<pid>/...).
143# This is needed for getting CPU time and wall time spent on subprocesses.
144r_dir_file(artd, profman);
145r_dir_file(artd, dex2oat);
Jiakai Zhang4d70f0b2023-10-13 18:26:56 +0000[diff] [blame]146
147# Allow artd to reopen its own memfd.
148# artd needs to reopen a memfd with readonly in order to pass it to subprocesses
149# that don't have write permissions on memfds.
150allow artd artd_tmpfs:file open;
Jiakai Zhang4acd0732024-03-20 11:24:54 +0000[diff] [blame]151
152# For Pre-reboot Dexopt.
153
154# Allow init to execute artd through art_exec.
155allow artd art_exec:fd use;
156
157# During Pre-reboot Dexopt, artd needs one more capability:
158# - "sys_admin" is for bind-mounting temp dirs at
159# /data/misc/apexdata/com.android.art and /data/misc/odrefresh, to run
160# odrefresh innocuously (in a way that doesn't affect the real boot images,
161# metrics, etc.).
162allow artd self:global_capability_class_set sys_admin;
163
164# Allow running other binaries in their own domains.
165domain_auto_trans(artd, derive_classpath_exec, derive_classpath)
166domain_auto_trans(artd, odrefresh_exec, odrefresh)
167
168# Allow accessing Pre-reboot Dexopt files.
169allow artd pre_reboot_dexopt_file:dir { getattr search };
170
171# Allow reading /init.environ.rc in chroot, to extract env vars from it.
172allow artd rootfs:file { read open getattr };
173
174# Allow managing Pre-reboot Dexopt temp files.
175# The root of the temp dir that artd uses during Pre-reboot Dexopt is labeled
176# pre_reboot_dexopt_artd_file. Inside the temp dir, we create files and dirs and
177# relabel them after creation, so we need relabelfrom.
178allow artd pre_reboot_dexopt_artd_file:dir { create_dir_perms relabelfrom };
179allow artd pre_reboot_dexopt_artd_file:file { create_file_perms relabelfrom };
180
181# Allow bind-mounting at /data/misc/apexdata/com.android.art and
182# /data/misc/odrefresh and restorecon, to run odrefresh innocuously.
183allow artd { apex_art_data_file odrefresh_data_file }:dir relabelto;
184allow artd { apex_art_data_file odrefresh_data_file pre_reboot_dexopt_artd_file }:dir mounton;
185
186# Neverallow rules.
187
188# Never allow running other binaries without a domain transition.
189# The exception for art_exec_exec is explained above.
190neverallow artd ~{art_exec_exec}:file execute_no_trans;
Jiakai Zhangf7dcc532024-07-04 15:59:49 +0100[diff] [blame]191
192# Make sure artd_subprocess_type is complete, in a sense that it includes all
193# types of artd subprocesses.
194neverallow artd ~{artd_subprocess_type crash_dump}:process transition;
195
196# artd uses process groups to manage subprocesses and kill them. To ensure
197# successful kill, we need to prevent subprocesses from changing their
198# process groups or transitioning to other domains.
199# Transitioning crash_dump is allowed because it is transient and is only used
200# upon crashes.
201neverallow artd_subprocess_type self:process setpgid;
202neverallow artd_subprocess_type ~{artd_subprocess_type crash_dump}:process transition;