| # ART service daemon. |
| typeattribute artd coredomain; |
| type artd_exec, system_file_type, exec_type, file_type; |
| type artd_tmpfs, file_type; |
| |
| # Allow artd to publish a binder service and make binder calls. |
| binder_use(artd) |
| add_service(artd, artd_service) |
| allow artd dumpstate:fifo_file { getattr write }; |
| |
| init_daemon_domain(artd) |
| |
| # Allow query ART device config properties |
| get_prop(artd, device_config_runtime_native_prop) |
| get_prop(artd, device_config_runtime_native_boot_prop) |
| |
| # Access to "odsign.verification.success" for deciding whether to deny files in |
| # the ART APEX data directory. |
| get_prop(artd, odsign_prop) |
| |
| # Reading an APK opens a ZipArchive, which unpack to tmpfs. |
| # Use tmpfs_domain() which will give tmpfs files created by artd their |
| # own label, which differs from other labels created by other processes. |
| # This allows to distinguish in policy files created by artd vs other |
| # processes. |
| tmpfs_domain(artd) |
| |
| # Allow testing userfaultfd support. |
| userfaultfd_use(artd) |
| |
| # Read access to primary dex'es on writable partitions (e.g., /data/app/...). |
| r_dir_file(artd, apk_data_file) |
| |
| # Read access to /vendor/app. |
| r_dir_file(artd, vendor_app_file) |
| |
| # Read/write access to all compilation artifacts generated on device for apps' |
| # primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.) |
| allow artd dalvikcache_data_file:dir create_dir_perms; |
| allow artd dalvikcache_data_file:file create_file_perms; |
| |
| # Read access to the ART APEX data directory. |
| # Needed for reading the boot image generated on device. |
| allow artd apex_module_data_file:dir { getattr search }; |
| r_dir_file(artd, apex_art_data_file) |
| |
| # Read access to /apex/apex-info-list.xml |
| # Needed for getting APEX versions. |
| allow artd apex_info_file:file r_file_perms; |
| |
| # Allow getting root capabilities to bypass permission checks. |
| # - "dac_override" and "dac_read_search" are for |
| # - reading secondary dex'es in app data directories (reading primary dex'es |
| # doesn't need root capabilities) |
| # - managing (CRUD) compilation artifacts in both APK directories for primary |
| # dex'es and in app data directories for secondary dex'es |
| # - managing (CRUD) profile files for both primary dex'es and secondary dex'es |
| # - "fowner" is for adjusting the file permissions of compilation artifacts and |
| # profile files based on whether they include user data or not. |
| # - "chown" is for transferring the ownership of compilation artifacts and |
| # profile files to the system or apps. |
| allow artd self:global_capability_class_set { dac_override dac_read_search fowner chown }; |
| |
| # Read/write access to profiles (/data/misc/profiles/{ref,cur}/...). |
| allow artd user_profile_data_file:dir { getattr search }; |
| allow artd user_profile_data_file:file create_file_perms; |
| |
| # Never allow running other binaries without a domain transition. |
| # The only exception is art_exec. It is allowed to use the artd domain because |
| # it is a thin wrapper that executes other binaries on behalf of artd. |
| neverallow artd ~{art_exec_exec}:file execute_no_trans; |
| allow artd art_exec_exec:file rx_file_perms; |
| |
| # Allow running other binaries in their own domains. |
| domain_auto_trans(artd, profman_exec, profman) |
| domain_auto_trans(artd, dex2oat_exec, dex2oat) |
| |
| # Allow sending sigkill to subprocesses. |
| allow artd { profman dex2oat }:process sigkill; |
