PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
a3d6302c57
android_system_sepolicy/private/dexoptanalyzer.te
David Brazdil 246efa2a24 dexoptanalyzer: Allow writing into installd's pipe 
Dexoptanalyzer is getting a new mode to instruct installd on which dex
files it needs to open for itself and dex2oat from class loader context.
The file list is communicated by a pipe from a forked dexoptanalyzer
process to the installd parent. Give dexoptanalyzer permission to write
to installd's pipes.

Bug; 126674985
Test: atest installd_dexopt_test
Change-Id: Ic415e2dc543099d26681103c9d368c941d21b49a
2019-03-20 15:37:12 +00:00

33 lines
1.6 KiB
Plaintext
Raw Blame History

# dexoptanalyzer
type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
type dexoptanalyzer_tmpfs, file_type;
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
# own label, which differs from other labels created by other processes.
# This allows to distinguish in policy files created by dexoptanalyzer vs other
#processes.
tmpfs_domain(dexoptanalyzer)
# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
# app_data_file the oat file is symlinked to the original file in /system.
allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
allow dexoptanalyzer dalvikcache_data_file:file r_file_perms;
allow dexoptanalyzer dalvikcache_data_file:lnk_file read;
allow dexoptanalyzer installd:fd use;
allow dexoptanalyzer installd:fifo_file { getattr write };
# Allow reading secondary dex files that were reported by the app to the
# package manager.
allow dexoptanalyzer { privapp_data_file app_data_file }:dir { getattr search };
allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read };
# dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
# "dontaudit...audit_access" policy line to suppress the audit access without
# suppressing denial on actual access.
dontaudit dexoptanalyzer { privapp_data_file app_data_file }:dir audit_access;
# Allow testing /data/user/0 which symlinks to /data/data
allow dexoptanalyzer system_data_file:lnk_file { getattr };
Reference in New Issue View Git Blame Copy Permalink