[layout compilation] Modify sepolicy to allow installd to run viewcompiler
We will generate precompiled layouts as part of the package install or upgrade
process. This means installd needs to be able to invoke viewcompiler. This
change gives installd and viewcompiler the minimal set of permissions needed for
this to work.
Bug: 111895153
Test: manual
Change-Id: Ic1fe60bd264c497b5f79d9e1d77c2da4e092377b
diff --git a/private/domain.te b/private/domain.te
index e33a9cd..6d62a59 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -108,6 +108,7 @@
-rs # spawned by appdomain, so carryover the exception above
-runas
-system_server
+ -viewcompiler
} { privapp_data_file app_data_file }:dir *;
# Only apps should be modifying app data. installd is exempted for
diff --git a/private/file_contexts b/private/file_contexts
index 13cc728..474c637 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -272,6 +272,7 @@
/system/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
# patchoat executable has (essentially) the same requirements as dex2oat.
/system/bin/patchoat(d)? u:object_r:dex2oat_exec:s0
+/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
/system/bin/profman(d)? u:object_r:profman_exec:s0
/system/bin/iorapd u:object_r:iorapd_exec:s0
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
diff --git a/private/installd.te b/private/installd.te
index 0b7ec4e..c511b80 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -8,6 +8,9 @@
# Run dexoptanalyzer in its own sandbox.
domain_auto_trans(installd, dexoptanalyzer_exec, dexoptanalyzer)
+# Run viewcompiler in its own sandbox.
+domain_auto_trans(installd, viewcompiler_exec, viewcompiler)
+
# Run profman in its own sandbox.
domain_auto_trans(installd, profman_exec, profman)
diff --git a/private/viewcompiler.te b/private/viewcompiler.te
new file mode 100644
index 0000000..14009c6
--- /dev/null
+++ b/private/viewcompiler.te
@@ -0,0 +1,24 @@
+# viewcompiler
+type viewcompiler, domain, coredomain, mlstrustedsubject;
+type viewcompiler_exec, system_file_type, exec_type, file_type;
+
+# Reading an APK opens a ZipArchive, which unpack to tmpfs.
+# Use tmpfs_domain() which will give tmpfs files created by viewcompiler their
+# own label, which differs from other labels created by other processes.
+# This allows to distinguish in policy files created by viewcompiler vs other
+# processes.
+tmpfs_domain(viewcompiler)
+
+allow viewcompiler installd:fd use;
+
+# Include write permission for app data files so viewcompiler can generate
+# compiled layout dex files
+allow viewcompiler app_data_file:file { getattr write };
+
+# Allow the view compiler to read resources from the apps APK.
+allow viewcompiler apk_data_file:file read;
+
+# priv-apps are moving to a world where they can only execute
+# signed code. Make sure viewcompiler never can write to privapp
+# directories to avoid introducing unsigned executable code
+neverallow viewcompiler privapp_data_file:file no_w_file_perms;