private/artd.te - platform/system/sepolicy - Git at Google

 # ART service daemon.
 typeattribute artd coredomain;
 typeattribute artd mlstrustedsubject;
 type artd_exec, system_file_type, exec_type, file_type;
 type artd_tmpfs, file_type;

 # Allow artd to publish a binder service and make binder calls.
 binder_use(artd)
 add_service(artd, artd_service)
 allow artd dumpstate:fifo_file  { getattr write };

 init_daemon_domain(artd)

 # Allow query ART device config properties
 get_prop(artd, device_config_runtime_native_prop)
 get_prop(artd, device_config_runtime_native_boot_prop)

 # Access to "odsign.verification.success" for deciding whether to deny files in
 # the ART APEX data directory.
 get_prop(artd, odsign_prop)

 # Reading an APK opens a ZipArchive, which unpack to tmpfs.
 # Use tmpfs_domain() which will give tmpfs files created by artd their
 # own label, which differs from other labels created by other processes.
 # This allows to distinguish in policy files created by artd vs other
 # processes.
 tmpfs_domain(artd)

 # Allow testing userfaultfd support.
 userfaultfd_use(artd)

 # Read access to primary dex'es on writable partitions
 # ({/data,/mnt/expand/<volume-uuid>}/app/...).
 # Also allow creating the "oat" directory before restorecon.
 allow artd mnt_expand_file:dir { getattr search };
 allow artd apk_data_file:dir { rw_dir_perms create setattr relabelfrom };
 allow artd apk_data_file:file r_file_perms;

 # Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
 r_dir_file(artd, vendor_app_file)

 # Read access to vendor overlay APKs ({/vendor,/odm,/oem}/overlay/...).
 allow artd oemfs:dir { getattr search };
 r_dir_file(artd, vendor_overlay_file)

 # Read access to vendor shared libraries ({/vendor,/odm}/framework/...).
 r_dir_file(artd, vendor_framework_file)

 # Read/write access to all compilation artifacts generated on device for apps'
 # primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
 allow artd dalvikcache_data_file:dir { create_dir_perms relabelto };
 allow artd dalvikcache_data_file:file { create_file_perms relabelto };

 # Read access to the ART APEX data directory.
 # Needed for reading the boot image generated on device.
 allow artd apex_module_data_file:dir { getattr search };
 r_dir_file(artd, apex_art_data_file)

 # Read access to /apex/apex-info-list.xml
 # Needed for getting APEX versions.
 allow artd apex_info_file:file r_file_perms;

 # Allow getting root capabilities to bypass permission checks.
 # - "dac_override" and "dac_read_search" are for
 #   - reading secondary dex'es in app data directories (reading primary dex'es
 #     doesn't need root capabilities)
 #   - managing (CRUD) compilation artifacts in both APK directories for primary
 #     dex'es and in app data directories for secondary dex'es
 #   - managing (CRUD) profile files for both primary dex'es and secondary dex'es
 # - "fowner" is for adjusting the file permissions of compilation artifacts and
 #   profile files based on whether they include user data or not.
 # - "chown" is for transferring the ownership of compilation artifacts and
 #   profile files to the system or apps.
 allow artd self:global_capability_class_set { dac_override dac_read_search fowner chown };

 # Read/write access to profiles (/data/misc/profiles/{ref,cur}/...). Also allow
 # scanning /data/misc/profiles/cur, for cleaning up obsolete managed files.
 allow artd user_profile_root_file:dir r_dir_perms;
 allow artd user_profile_data_file:dir rw_dir_perms;
 allow artd user_profile_data_file:file create_file_perms;

 # Read/write access to secondary dex files, their profiles, and their
 # compilation artifacts
 # ({/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id>/<package-name>/...).
 allow artd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
 allow artd app_data_file_type:file { create_file_perms relabelfrom relabelto };

 # Allow symlinks for secondary dex files. This has be to restricted because
 # symlinks can cause various security issues. We allow "privapp_data_file" just
 # for GMS because so far we only see GMS using symlinks.
 allow artd privapp_data_file:lnk_file { getattr read };

 # Read access to SELinux context files, for restorecon.
 allow artd file_contexts_file:file r_file_perms;
 allow artd seapp_contexts_file:file r_file_perms;

 # Check validity of SELinux context, for restorecon.
 selinux_check_context(artd)

 # Allow scanning /, for cleaning up obsolete managed files.
 allow artd rootfs:dir r_dir_perms;

 # Allow scanning /data, for cleaning up obsolete managed files.
 allow artd system_data_root_file:dir r_dir_perms;

 # Allow scanning /mnt, for cleaning up obsolete managed files.
 allow artd tmpfs:dir r_dir_perms;

 # Allow scanning /mnt/expand, for cleaning up obsolete managed files.
 allow artd mnt_expand_file:dir r_dir_perms;

 # Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}, for cleaning
 # up obsolete managed files.
 allow artd system_userdir_file:dir r_dir_perms;

 # Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id> and
 # /mnt/expand/<volume-uuid>, for cleaning up obsolete managed files.
 allow artd system_data_file:dir r_dir_perms;

 # Never allow running other binaries without a domain transition.
 # The only exception is art_exec. It is allowed to use the artd domain because
 # it is a thin wrapper that executes other binaries on behalf of artd.
 neverallow artd ~{art_exec_exec}:file execute_no_trans;
 allow artd art_exec_exec:file rx_file_perms;

 # Allow running other binaries in their own domains.
 domain_auto_trans(artd, profman_exec, profman)
 domain_auto_trans(artd, dex2oat_exec, dex2oat)

 # Allow sending sigkill to subprocesses.
 allow artd { profman dex2oat }:process sigkill;

 # Allow reading process info (/proc/<pid>/...).
 # This is needed for getting CPU time and wall time spent on subprocesses.
 r_dir_file(artd, profman);
 r_dir_file(artd, dex2oat);
	# ART service daemon.
	typeattribute artd coredomain;
	typeattribute artd mlstrustedsubject;
	type artd_exec, system_file_type, exec_type, file_type;
	type artd_tmpfs, file_type;

	# Allow artd to publish a binder service and make binder calls.
	binder_use(artd)
	add_service(artd, artd_service)
	allow artd dumpstate:fifo_file { getattr write };

	init_daemon_domain(artd)

	# Allow query ART device config properties
	get_prop(artd, device_config_runtime_native_prop)
	get_prop(artd, device_config_runtime_native_boot_prop)

	# Access to "odsign.verification.success" for deciding whether to deny files in
	# the ART APEX data directory.
	get_prop(artd, odsign_prop)

	# Reading an APK opens a ZipArchive, which unpack to tmpfs.
	# Use tmpfs_domain() which will give tmpfs files created by artd their
	# own label, which differs from other labels created by other processes.
	# This allows to distinguish in policy files created by artd vs other
	# processes.
	tmpfs_domain(artd)

	# Allow testing userfaultfd support.
	userfaultfd_use(artd)

	# Read access to primary dex'es on writable partitions
	# ({/data,/mnt/expand/<volume-uuid>}/app/...).
	# Also allow creating the "oat" directory before restorecon.
	allow artd mnt_expand_file:dir { getattr search };
	allow artd apk_data_file:dir { rw_dir_perms create setattr relabelfrom };
	allow artd apk_data_file:file r_file_perms;

	# Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
	r_dir_file(artd, vendor_app_file)

	# Read access to vendor overlay APKs ({/vendor,/odm,/oem}/overlay/...).
	allow artd oemfs:dir { getattr search };
	r_dir_file(artd, vendor_overlay_file)

	# Read access to vendor shared libraries ({/vendor,/odm}/framework/...).
	r_dir_file(artd, vendor_framework_file)

	# Read/write access to all compilation artifacts generated on device for apps'
	# primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
	allow artd dalvikcache_data_file:dir { create_dir_perms relabelto };
	allow artd dalvikcache_data_file:file { create_file_perms relabelto };

	# Read access to the ART APEX data directory.
	# Needed for reading the boot image generated on device.
	allow artd apex_module_data_file:dir { getattr search };
	r_dir_file(artd, apex_art_data_file)

	# Read access to /apex/apex-info-list.xml
	# Needed for getting APEX versions.
	allow artd apex_info_file:file r_file_perms;

	# Allow getting root capabilities to bypass permission checks.
	# - "dac_override" and "dac_read_search" are for
	# - reading secondary dex'es in app data directories (reading primary dex'es
	# doesn't need root capabilities)
	# - managing (CRUD) compilation artifacts in both APK directories for primary
	# dex'es and in app data directories for secondary dex'es
	# - managing (CRUD) profile files for both primary dex'es and secondary dex'es
	# - "fowner" is for adjusting the file permissions of compilation artifacts and
	# profile files based on whether they include user data or not.
	# - "chown" is for transferring the ownership of compilation artifacts and
	# profile files to the system or apps.
	allow artd self:global_capability_class_set { dac_override dac_read_search fowner chown };

	# Read/write access to profiles (/data/misc/profiles/{ref,cur}/...). Also allow
	# scanning /data/misc/profiles/cur, for cleaning up obsolete managed files.
	allow artd user_profile_root_file:dir r_dir_perms;
	allow artd user_profile_data_file:dir rw_dir_perms;
	allow artd user_profile_data_file:file create_file_perms;

	# Read/write access to secondary dex files, their profiles, and their
	# compilation artifacts
	# ({/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id>/<package-name>/...).
	allow artd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
	allow artd app_data_file_type:file { create_file_perms relabelfrom relabelto };

	# Allow symlinks for secondary dex files. This has be to restricted because
	# symlinks can cause various security issues. We allow "privapp_data_file" just
	# for GMS because so far we only see GMS using symlinks.
	allow artd privapp_data_file:lnk_file { getattr read };

	# Read access to SELinux context files, for restorecon.
	allow artd file_contexts_file:file r_file_perms;
	allow artd seapp_contexts_file:file r_file_perms;

	# Check validity of SELinux context, for restorecon.
	selinux_check_context(artd)

	# Allow scanning /, for cleaning up obsolete managed files.
	allow artd rootfs:dir r_dir_perms;

	# Allow scanning /data, for cleaning up obsolete managed files.
	allow artd system_data_root_file:dir r_dir_perms;

	# Allow scanning /mnt, for cleaning up obsolete managed files.
	allow artd tmpfs:dir r_dir_perms;

	# Allow scanning /mnt/expand, for cleaning up obsolete managed files.
	allow artd mnt_expand_file:dir r_dir_perms;

	# Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}, for cleaning
	# up obsolete managed files.
	allow artd system_userdir_file:dir r_dir_perms;

	# Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id> and
	# /mnt/expand/<volume-uuid>, for cleaning up obsolete managed files.
	allow artd system_data_file:dir r_dir_perms;

	# Never allow running other binaries without a domain transition.
	# The only exception is art_exec. It is allowed to use the artd domain because
	# it is a thin wrapper that executes other binaries on behalf of artd.
	neverallow artd ~{art_exec_exec}:file execute_no_trans;
	allow artd art_exec_exec:file rx_file_perms;

	# Allow running other binaries in their own domains.
	domain_auto_trans(artd, profman_exec, profman)
	domain_auto_trans(artd, dex2oat_exec, dex2oat)

	# Allow sending sigkill to subprocesses.
	allow artd { profman dex2oat }:process sigkill;

	# Allow reading process info (/proc/<pid>/...).
	# This is needed for getting CPU time and wall time spent on subprocesses.
	r_dir_file(artd, profman);
	r_dir_file(artd, dex2oat);