| # dexoptanalyzer |
| type dexoptanalyzer, domain, coredomain, mlstrustedsubject; |
| type dexoptanalyzer_exec, system_file_type, exec_type, file_type; |
| type dexoptanalyzer_tmpfs, file_type; |
| |
| r_dir_file(dexoptanalyzer, apk_data_file) |
| # Access to /vendor/app |
| r_dir_file(dexoptanalyzer, vendor_app_file) |
| |
| # Reading an APK opens a ZipArchive, which unpack to tmpfs. |
| # Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their |
| # own label, which differs from other labels created by other processes. |
| # This allows to distinguish in policy files created by dexoptanalyzer vs other |
| #processes. |
| tmpfs_domain(dexoptanalyzer) |
| |
| # Read symlinks in /data/dalvik-cache. This is required for PIC mode boot |
| # app_data_file the oat file is symlinked to the original file in /system. |
| allow dexoptanalyzer dalvikcache_data_file:dir { getattr search }; |
| allow dexoptanalyzer dalvikcache_data_file:file r_file_perms; |
| allow dexoptanalyzer dalvikcache_data_file:lnk_file read; |
| |
| allow dexoptanalyzer installd:fd use; |
| allow dexoptanalyzer installd:fifo_file { getattr write }; |
| |
| # Acquire advisory lock on /system/framework/arm/* |
| allow dexoptanalyzer system_file:file lock; |
| |
| # Allow reading secondary dex files that were reported by the app to the |
| # package manager. |
| allow dexoptanalyzer { privapp_data_file app_data_file }:dir { getattr search }; |
| allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map }; |
| # dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the |
| # "dontaudit...audit_access" policy line to suppress the audit access without |
| # suppressing denial on actual access. |
| dontaudit dexoptanalyzer { privapp_data_file app_data_file }:dir audit_access; |
| |
| # Allow testing /data/user/0 which symlinks to /data/data |
| allow dexoptanalyzer system_data_file:lnk_file { getattr }; |