diff options
Diffstat (limited to 'prebuilts/api/32.0/private/dex2oat.te')
| -rw-r--r-- | prebuilts/api/32.0/private/dex2oat.te | 110 |
1 files changed, 110 insertions, 0 deletions
diff --git a/prebuilts/api/32.0/private/dex2oat.te b/prebuilts/api/32.0/private/dex2oat.te new file mode 100644 index 000000000..e7cdd5f12 --- /dev/null +++ b/prebuilts/api/32.0/private/dex2oat.te @@ -0,0 +1,110 @@ +# dex2oat +type dex2oat, domain, coredomain; +type dex2oat_exec, system_file_type, exec_type, file_type; + +userfaultfd_use(dex2oat) + +r_dir_file(dex2oat, apk_data_file) +# Access to /vendor/app +r_dir_file(dex2oat, vendor_app_file) +# Access /vendor/framework +allow dex2oat vendor_framework_file:dir { getattr search }; +allow dex2oat vendor_framework_file:file { getattr open read map }; + +allow dex2oat tmpfs:file { read getattr map }; + +r_dir_file(dex2oat, dalvikcache_data_file) +allow dex2oat dalvikcache_data_file:file write; +allow dex2oat installd:fd use; + +# Acquire advisory lock on /system/framework/arm/* +allow dex2oat system_file:file lock; +allow dex2oat postinstall_file:file lock; + +# Read already open asec_apk_file file descriptors passed by installd. +# Also allow reading unlabeled files, to allow for upgrading forward +# locked APKs. +allow dex2oat asec_apk_file:file { read map }; +allow dex2oat unlabeled:file { read map }; +allow dex2oat oemfs:file { read map }; +allow dex2oat apk_tmp_file:dir search; +allow dex2oat apk_tmp_file:file r_file_perms; +allow dex2oat user_profile_data_file:file { getattr read lock map }; + +# Allow dex2oat to compile app's secondary dex files which were reported back to +# the framework. +allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock map }; + +# Allow dex2oat to find files and directories under /data/misc/apexdata/com.android.runtime. +allow dex2oat apex_module_data_file:dir search; + +# Allow dex2oat to use file descriptors passed from odrefresh. +allow dex2oat odrefresh:fd use; + +# Allow dex2oat to use devpts and file descriptors passed from odsign +allow dex2oat odsign_devpts:chr_file { read write }; +allow dex2oat odsign:fd use; + +# Allow dex2oat to write to file descriptors from odrefresh for files +# in the staging area. +allow dex2oat apex_art_staging_data_file:dir r_dir_perms; +allow dex2oat apex_art_staging_data_file:file { getattr map read write unlink }; + +# Allow dex2oat to read artifacts from odrefresh. +allow dex2oat apex_art_data_file:dir r_dir_perms; +allow dex2oat apex_art_data_file:file r_file_perms; + +# Allow dex2oat to read runtime native flag properties. +get_prop(dex2oat, device_config_runtime_native_prop) +get_prop(dex2oat, device_config_runtime_native_boot_prop) + +# Allow dex2oat to read /apex/apex-info-list.xml +allow dex2oat apex_info_file:file r_file_perms; + +################## +# A/B OTA Dexopt # +################## + +# Allow dex2oat to use file descriptors from otapreopt. +allow dex2oat postinstall_dexopt:fd use; + +# Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker). +allow dex2oat postinstall_file:dir r_dir_perms; +allow dex2oat postinstall_file:filesystem getattr; +allow dex2oat postinstall_file:lnk_file { getattr read }; +allow dex2oat postinstall_file:file read; +# Allow dex2oat to use libraries under /postinstall/system (e.g. /system/lib/libc.so). +# TODO(b/120266448): Remove when Bionic libraries are part of the Runtime APEX. +allow dex2oat postinstall_file:file { execute getattr open }; + +# Allow dex2oat access to /postinstall/apex. +allow dex2oat postinstall_apex_mnt_dir:dir { getattr search }; +allow dex2oat postinstall_apex_mnt_dir:file r_file_perms; + +# Allow dex2oat access to files in /data/ota. +allow dex2oat ota_data_file:dir ra_dir_perms; +allow dex2oat ota_data_file:file r_file_perms; + +# Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images, +# where the oat file is symlinked to the original file in /system. +allow dex2oat ota_data_file:lnk_file { create read }; + +# It would be nice to tie this down, but currently, because of how images are written, we can't +# pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to +# create them itself (and make them world-readable). +allow dex2oat ota_data_file:file { create w_file_perms setattr }; + +############### +# APEX Update # +############### + +# /dev/zero is inherited. +allow dex2oat apexd:fd use; + +# Allow dex2oat to use file descriptors from preinstall. + +############## +# Neverallow # +############## + +neverallow dex2oat { privapp_data_file app_data_file }:notdevfile_class_set open; |