| # dex2oat |
| type dex2oat, domain, coredomain; |
| type dex2oat_exec, system_file_type, exec_type, file_type; |
| |
| userfaultfd_use(dex2oat) |
| |
| r_dir_file(dex2oat, apk_data_file) |
| # Access to /vendor/app |
| r_dir_file(dex2oat, vendor_app_file) |
| # Access /vendor/framework |
| allow dex2oat vendor_framework_file:dir { getattr search }; |
| allow dex2oat vendor_framework_file:file { getattr open read map }; |
| # Access /vendor/overlay |
| r_dir_file(dex2oat, vendor_overlay_file); |
| # Vendor overlay can be found in vendor apex |
| allow dex2oat vendor_apex_metadata_file:dir { getattr search }; |
| |
| allow dex2oat tmpfs:file { read getattr map }; |
| |
| r_dir_file(dex2oat, dalvikcache_data_file) |
| allow dex2oat dalvikcache_data_file:file write; |
| |
| # Acquire advisory lock on /system/framework/arm/* |
| allow dex2oat system_file:file lock; |
| allow dex2oat postinstall_file:file lock; |
| |
| # Read already open asec_apk_file file descriptors passed by installd. |
| # Also allow reading unlabeled files, to allow for upgrading forward |
| # locked APKs. |
| allow dex2oat asec_apk_file:file { read map }; |
| allow dex2oat unlabeled:file { read map }; |
| allow dex2oat oemfs:file { read map }; |
| allow dex2oat apk_tmp_file:dir search; |
| allow dex2oat apk_tmp_file:file r_file_perms; |
| allow dex2oat user_profile_data_file:file { getattr read lock map }; |
| |
| # Allow dex2oat to compile app's secondary dex files which were reported back to |
| # the framework. |
| allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock map }; |
| |
| # Allow dex2oat to find files and directories under /data/misc/apexdata/com.android.runtime. |
| allow dex2oat apex_module_data_file:dir search; |
| |
| # Allow dex2oat to use devpts passed from odsign. |
| allow dex2oat odsign_devpts:chr_file { read write }; |
| |
| # Allow dex2oat to write to file descriptors from odrefresh for files |
| # in the staging area. |
| allow dex2oat apex_art_staging_data_file:dir r_dir_perms; |
| allow dex2oat apex_art_staging_data_file:file { getattr map read write unlink }; |
| |
| # Allow dex2oat to read artifacts from odrefresh. |
| allow dex2oat apex_art_data_file:dir r_dir_perms; |
| allow dex2oat apex_art_data_file:file r_file_perms; |
| |
| # Allow dex2oat to read runtime native flag properties. |
| get_prop(dex2oat, device_config_runtime_native_prop) |
| get_prop(dex2oat, device_config_runtime_native_boot_prop) |
| |
| # Allow dex2oat to read /apex/apex-info-list.xml |
| allow dex2oat apex_info_file:file r_file_perms; |
| |
| # Allow dex2oat to use file descriptors passed from privileged programs. |
| allow dex2oat { artd installd odrefresh odsign }:fd use; |
| |
| # Allow dex2oat to read the /proc filesystem for CPU features, etc. |
| allow dex2oat proc_filesystems:file r_file_perms; |
| |
| ################## |
| # A/B OTA Dexopt # |
| ################## |
| |
| # Allow dex2oat to use file descriptors from otapreopt. |
| allow dex2oat postinstall_dexopt:fd use; |
| |
| # Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker). |
| allow dex2oat postinstall_file:dir r_dir_perms; |
| allow dex2oat postinstall_file:filesystem getattr; |
| allow dex2oat postinstall_file:lnk_file { getattr read }; |
| allow dex2oat postinstall_file:file read; |
| # Allow dex2oat to use libraries under /postinstall/system (e.g. /system/lib/libc.so). |
| # TODO(b/120266448): Remove when Bionic libraries are part of the Runtime APEX. |
| allow dex2oat postinstall_file:file { execute getattr open }; |
| |
| # Allow dex2oat access to /postinstall/apex. |
| allow dex2oat postinstall_apex_mnt_dir:dir { getattr search }; |
| allow dex2oat postinstall_apex_mnt_dir:file r_file_perms; |
| |
| # Allow dex2oat access to files in /data/ota. |
| allow dex2oat ota_data_file:dir ra_dir_perms; |
| allow dex2oat ota_data_file:file r_file_perms; |
| |
| # Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images, |
| # where the oat file is symlinked to the original file in /system. |
| allow dex2oat ota_data_file:lnk_file { create read }; |
| |
| # It would be nice to tie this down, but currently, because of how images are written, we can't |
| # pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to |
| # create them itself (and make them world-readable). |
| allow dex2oat ota_data_file:file { create w_file_perms setattr }; |
| |
| ############### |
| # APEX Update # |
| ############### |
| |
| # /dev/zero is inherited. |
| allow dex2oat apexd:fd use; |
| |
| # Allow dex2oat to use file descriptors from preinstall. |
| |
| ############## |
| # Neverallow # |
| ############## |
| |
| neverallow dex2oat app_data_file_type:notdevfile_class_set open; |