Audit access to libart

Grant access to all processes and audit access. The end goal is to
whitelist all access to the interpreter. Several processes including
dex2oat, apps, and zygote were observed using libart, so omit them
from auditing and explicitly grant them access.

Test: Angler builds and boots

Bug: 29795519
Change-Id: I9b93c7dbef5c49b95a18fd26307955d05a1c8e88

app.te

@@ -10,6 +10,9 @@
 # WebView and other application-specific JIT compilers
 allow appdomain self:process execmem;
 
+# allow access to the interpreter
+allow appdomain libart_file:file { execute read open getattr };
+
 allow appdomain ashmem_device:chr_file execute;
 
 # Receive and use open file descriptors inherited from zygote.

dex2oat.te

@@ -6,6 +6,9 @@ r_dir_file(dex2oat, apk_data_file)
 
 allow dex2oat tmpfs:file { read getattr };
 
+# allow access to the interpreter
+allow dex2oat libart_file:file { execute read open getattr };
+
 r_dir_file(dex2oat, dalvikcache_data_file)
 allow dex2oat dalvikcache_data_file:file write;
 # Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where

domain.te

@@ -101,6 +101,17 @@ allow domain system_file:dir { search getattr };
 allow domain system_file:file { execute read open getattr };
 allow domain system_file:lnk_file read;
 
+# Initially grant all domains access to libart.
+# TODO move to a whitelist. b/29795519
+allow domain libart_file:file { execute read open getattr };
+auditallow {
+  domain
+  -appdomain
+  -dex2oat
+  -recovery
+  -zygote
+} libart_file:file { execute read open getattr };
+
 # read any sysfs symlinks
 allow domain sysfs:lnk_file read;
 
@@ -294,7 +305,7 @@ neverallow {
     userdebug_or_eng(`-su')
     -system_server
     -zygote
-} { file_type -system_file -exec_type -postinstall_file }:file execute;
+} { file_type -libart_file -system_file -exec_type -postinstall_file }:file execute;
 neverallow {
     domain
     -appdomain # for oemfs

file.te

@@ -68,6 +68,8 @@ type app_fusefs, fs_type, contextmount_type;
 type unlabeled, file_type;
 # Default type for anything under /system.
 type system_file, file_type;
+# Type for /system/*/libart*
+type libart_file, file_type;
 # Type for /system/bin/logcat.
 type logcat_exec, exec_type, file_type;
 # /cores for coredumps on userdebug / eng builds

file_contexts

@@ -216,7 +216,8 @@
 /system/bin/update_engine        u:object_r:update_engine_exec:s0
 /system/bin/bspatch              u:object_r:update_engine_exec:s0
 /system/bin/hw/wifi_hal_legacy   u:object_r:wifi_hal_legacy_exec:s0
-
+/system/fake-lib(64)?/libart.*   u:object_r:libart_file:s0
+/system/lib(64)?/libart.*        u:object_r:libart_file:s0
 
 #############################
 # Vendor files

recovery.te

@@ -28,7 +28,7 @@ recovery_only(`
 
   # Create and relabel files and directories under /system.
   allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
-  allow recovery system_file:{ file lnk_file } { create_file_perms relabelfrom relabelto };
+  allow recovery { system_file libart_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto };
   allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
 
   # We may be asked to set an SELinux label for a type not known to the

zygote.te

@@ -31,6 +31,7 @@ allow zygote resourcecache_data_file:dir rw_dir_perms;
 allow zygote resourcecache_data_file:file create_file_perms;
 # For art.
 allow zygote dalvikcache_data_file:file execute;
+allow zygote libart_file:file { execute read open getattr };
 # Execute idmap and dex2oat within zygote's own domain.
 # TODO:  Should either of these be transitioned to the same domain
 # used by installd or stay in-domain for zygote?