private/dex2oat.te - platform/system/sepolicy - Git at Google

 # dex2oat
 type dex2oat, domain, coredomain;
 type dex2oat_exec, system_file_type, exec_type, file_type;

 userfaultfd_use(dex2oat)

 r_dir_file(dex2oat, apk_data_file)
 # Access to /vendor/app
 r_dir_file(dex2oat, vendor_app_file)
 # Access /vendor/framework
 allow dex2oat vendor_framework_file:dir { getattr search };
 allow dex2oat vendor_framework_file:file { getattr open read map };

 allow dex2oat tmpfs:file { read getattr map };

 r_dir_file(dex2oat, dalvikcache_data_file)
 allow dex2oat dalvikcache_data_file:file write;
 allow dex2oat installd:fd use;

 # Acquire advisory lock on /system/framework/arm/*
 allow dex2oat system_file:file lock;
 allow dex2oat postinstall_file:file lock;

 # Read already open asec_apk_file file descriptors passed by installd.
 # Also allow reading unlabeled files, to allow for upgrading forward
 # locked APKs.
 allow dex2oat asec_apk_file:file { read map };
 allow dex2oat unlabeled:file { read map };
 allow dex2oat oemfs:file { read map };
 allow dex2oat apk_tmp_file:dir search;
 allow dex2oat apk_tmp_file:file r_file_perms;
 allow dex2oat user_profile_data_file:file { getattr read lock map };

 # Allow dex2oat to compile app's secondary dex files which were reported back to
 # the framework.
 allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock map };

 # Allow dex2oat to find files and directories under /data/misc/apexdata/com.android.runtime.
 allow dex2oat apex_module_data_file:dir search;

 # Allow dex2oat to use file descriptors passed from odrefresh.
 allow dex2oat odrefresh:fd use;

 # Allow dex2oat to use devpts and file descriptors passed from odsign
 allow dex2oat odsign_devpts:chr_file { read write };
 allow dex2oat odsign:fd use;

 # Allow dex2oat to write to file descriptors from odrefresh for files
 # in the staging area.
 allow dex2oat apex_art_staging_data_file:dir r_dir_perms;
 allow dex2oat apex_art_staging_data_file:file { getattr map read write unlink };

 # Allow dex2oat to read artifacts from odrefresh.
 allow dex2oat apex_art_data_file:dir r_dir_perms;
 allow dex2oat apex_art_data_file:file r_file_perms;

 # Allow dex2oat to read runtime native flag properties.
 get_prop(dex2oat, device_config_runtime_native_prop)
 get_prop(dex2oat, device_config_runtime_native_boot_prop)

 # Allow dex2oat to read /apex/apex-info-list.xml
 allow dex2oat apex_info_file:file r_file_perms;

 ##################
 # A/B OTA Dexopt #
 ##################

 # Allow dex2oat to use file descriptors from otapreopt.
 allow dex2oat postinstall_dexopt:fd use;

 # Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker).
 allow dex2oat postinstall_file:dir r_dir_perms;
 allow dex2oat postinstall_file:filesystem getattr;
 allow dex2oat postinstall_file:lnk_file { getattr read };
 allow dex2oat postinstall_file:file read;
 # Allow dex2oat to use libraries under /postinstall/system (e.g. /system/lib/libc.so).
 # TODO(b/120266448): Remove when Bionic libraries are part of the Runtime APEX.
 allow dex2oat postinstall_file:file { execute getattr open };

 # Allow dex2oat access to /postinstall/apex.
 allow dex2oat postinstall_apex_mnt_dir:dir { getattr search };
 allow dex2oat postinstall_apex_mnt_dir:file r_file_perms;

 # Allow dex2oat access to files in /data/ota.
 allow dex2oat ota_data_file:dir ra_dir_perms;
 allow dex2oat ota_data_file:file r_file_perms;

 # Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images,
 # where the oat file is symlinked to the original file in /system.
 allow dex2oat ota_data_file:lnk_file { create read };

 # It would be nice to tie this down, but currently, because of how images are written, we can't
 # pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to
 # create them itself (and make them world-readable).
 allow dex2oat ota_data_file:file { create w_file_perms setattr };

 ###############
 # APEX Update #
 ###############

 # /dev/zero is inherited.
 allow dex2oat apexd:fd use;

 # Allow dex2oat to use file descriptors from preinstall.

 ##############
 # Neverallow #
 ##############

 neverallow dex2oat { privapp_data_file app_data_file }:notdevfile_class_set open;
	# dex2oat
	type dex2oat, domain, coredomain;
	type dex2oat_exec, system_file_type, exec_type, file_type;

	userfaultfd_use(dex2oat)

	r_dir_file(dex2oat, apk_data_file)
	# Access to /vendor/app
	r_dir_file(dex2oat, vendor_app_file)
	# Access /vendor/framework
	allow dex2oat vendor_framework_file:dir { getattr search };
	allow dex2oat vendor_framework_file:file { getattr open read map };

	allow dex2oat tmpfs:file { read getattr map };

	r_dir_file(dex2oat, dalvikcache_data_file)
	allow dex2oat dalvikcache_data_file:file write;
	allow dex2oat installd:fd use;

	# Acquire advisory lock on /system/framework/arm/*
	allow dex2oat system_file:file lock;
	allow dex2oat postinstall_file:file lock;

	# Read already open asec_apk_file file descriptors passed by installd.
	# Also allow reading unlabeled files, to allow for upgrading forward
	# locked APKs.
	allow dex2oat asec_apk_file:file { read map };
	allow dex2oat unlabeled:file { read map };
	allow dex2oat oemfs:file { read map };
	allow dex2oat apk_tmp_file:dir search;
	allow dex2oat apk_tmp_file:file r_file_perms;
	allow dex2oat user_profile_data_file:file { getattr read lock map };

	# Allow dex2oat to compile app's secondary dex files which were reported back to
	# the framework.
	allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock map };

	# Allow dex2oat to find files and directories under /data/misc/apexdata/com.android.runtime.
	allow dex2oat apex_module_data_file:dir search;

	# Allow dex2oat to use file descriptors passed from odrefresh.
	allow dex2oat odrefresh:fd use;

	# Allow dex2oat to use devpts and file descriptors passed from odsign
	allow dex2oat odsign_devpts:chr_file { read write };
	allow dex2oat odsign:fd use;

	# Allow dex2oat to write to file descriptors from odrefresh for files
	# in the staging area.
	allow dex2oat apex_art_staging_data_file:dir r_dir_perms;
	allow dex2oat apex_art_staging_data_file:file { getattr map read write unlink };

	# Allow dex2oat to read artifacts from odrefresh.
	allow dex2oat apex_art_data_file:dir r_dir_perms;
	allow dex2oat apex_art_data_file:file r_file_perms;

	# Allow dex2oat to read runtime native flag properties.
	get_prop(dex2oat, device_config_runtime_native_prop)
	get_prop(dex2oat, device_config_runtime_native_boot_prop)

	# Allow dex2oat to read /apex/apex-info-list.xml
	allow dex2oat apex_info_file:file r_file_perms;

	##################
	# A/B OTA Dexopt #
	##################

	# Allow dex2oat to use file descriptors from otapreopt.
	allow dex2oat postinstall_dexopt:fd use;

	# Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker).
	allow dex2oat postinstall_file:dir r_dir_perms;
	allow dex2oat postinstall_file:filesystem getattr;
	allow dex2oat postinstall_file:lnk_file { getattr read };
	allow dex2oat postinstall_file:file read;
	# Allow dex2oat to use libraries under /postinstall/system (e.g. /system/lib/libc.so).
	# TODO(b/120266448): Remove when Bionic libraries are part of the Runtime APEX.
	allow dex2oat postinstall_file:file { execute getattr open };

	# Allow dex2oat access to /postinstall/apex.
	allow dex2oat postinstall_apex_mnt_dir:dir { getattr search };
	allow dex2oat postinstall_apex_mnt_dir:file r_file_perms;

	# Allow dex2oat access to files in /data/ota.
	allow dex2oat ota_data_file:dir ra_dir_perms;
	allow dex2oat ota_data_file:file r_file_perms;

	# Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images,
	# where the oat file is symlinked to the original file in /system.
	allow dex2oat ota_data_file:lnk_file { create read };

	# It would be nice to tie this down, but currently, because of how images are written, we can't
	# pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to
	# create them itself (and make them world-readable).
	allow dex2oat ota_data_file:file { create w_file_perms setattr };

	###############
	# APEX Update #
	###############

	# /dev/zero is inherited.
	allow dex2oat apexd:fd use;

	# Allow dex2oat to use file descriptors from preinstall.

	##############
	# Neverallow #
	##############

	neverallow dex2oat { privapp_data_file app_data_file }:notdevfile_class_set open;