| # dex2oat |
| type dex2oat, domain, coredomain; |
| type dex2oat_exec, system_file_type, exec_type, file_type; |
| |
| userfaultfd_use(dex2oat) |
| |
| allow dex2oat tmpfs:file { read getattr map }; |
| |
| # Allow dex2oat to use FDs from authfs_service via compos. |
| allow dex2oat authfs_service:fd use; |
| allow dex2oat compos:fd use; |
| allow dex2oat odrefresh:fd use; |
| |
| # Allow dex2oat to read/write FDs on authfs_fuse filesystem. |
| allow dex2oat authfs_fuse:file { read write getattr map }; |
| |
| # Allow to search in authfs directories. |
| allow dex2oat authfs_data_file:dir { search }; |
| allow dex2oat authfs_fuse:dir { search }; |
| |
| # Minijail uses pipe for the parent process to signal the child (as a fallback |
| # mechanism, since Android does not support minijail's preload). |
| # TODO(196109647): We can probably remove this once the minijail preload is |
| # supported on Android. |
| allow dex2oat compos:fifo_file read; |
| |
| # Allow acquiring advisory lock on /system/framework/<arch>/* |
| allow dex2oat system_file:file lock; |
| |
| # Allow dex2oat to read /apex/apex-info-list.xml |
| allow dex2oat apex_info_file:file r_file_perms; |
| |
| # Allow reading dalvik system properties that may affect compilation |
| get_prop(dex2oat, dalvik_config_prop_type) |
| get_prop(dex2oat, device_config_runtime_native_boot_prop) |
| |
| # Don't audit because we don't configure the compiler through these |
| # properties in the VM. |
| dontaudit dex2oat device_config_runtime_native_prop:file { open read getattr map }; |