1# ART service daemon.
2typeattribute artd coredomain;
3typeattribute artd mlstrustedsubject;
4type artd_exec, system_file_type, exec_type, file_type;
5type artd_tmpfs, file_type;
6
7# Allow artd to publish a binder service and make binder calls.
8binder_use(artd)
9add_service(artd, artd_service)
10allow artd dumpstate:fifo_file  { getattr write };
11
12init_daemon_domain(artd)
13
14# Allow query ART device config properties
15get_prop(artd, device_config_runtime_native_prop)
16get_prop(artd, device_config_runtime_native_boot_prop)
17
18# Access to "odsign.verification.success" for deciding whether to deny files in
19# the ART APEX data directory.
20get_prop(artd, odsign_prop)
21
22# Reading an APK opens a ZipArchive, which unpack to tmpfs.
23# Use tmpfs_domain() which will give tmpfs files created by artd their
24# own label, which differs from other labels created by other processes.
25# This allows to distinguish in policy files created by artd vs other
26# processes.
27tmpfs_domain(artd)
28
29# Allow testing userfaultfd support.
30userfaultfd_use(artd)
31
32# Read access to primary dex'es on writable partitions
33# ({/data,/mnt/expand/<volume-uuid>}/app/...).
34# Also allow creating the "oat" directory before restorecon.
35allow artd mnt_expand_file:dir { getattr search };
36allow artd apk_data_file:dir { rw_dir_perms create setattr relabelfrom };
37allow artd apk_data_file:file r_file_perms;
38
39# Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
40r_dir_file(artd, vendor_app_file)
41
42# Read access to vendor overlay APKs ({/vendor,/odm,/oem}/overlay/...).
43allow artd oemfs:dir { getattr search };
44r_dir_file(artd, vendor_overlay_file)
45
46# Read access to vendor shared libraries ({/vendor,/odm}/framework/...).
47r_dir_file(artd, vendor_framework_file)
48
49# Read/write access to all compilation artifacts generated on device for apps'
50# primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
51allow artd dalvikcache_data_file:dir { create_dir_perms relabelto };
52allow artd dalvikcache_data_file:file { create_file_perms relabelto };
53
54# Read access to the ART APEX data directory.
55# Needed for reading the boot image generated on device.
56allow artd apex_module_data_file:dir { getattr search };
57r_dir_file(artd, apex_art_data_file)
58
59# Read access to /apex/apex-info-list.xml
60# Needed for getting APEX versions.
61allow artd apex_info_file:file r_file_perms;
62
63# Allow getting root capabilities to bypass permission checks.
64# - "dac_override" and "dac_read_search" are for
65#   - reading secondary dex'es in app data directories (reading primary dex'es
66#     doesn't need root capabilities)
67#   - managing (CRUD) compilation artifacts in both APK directories for primary
68#     dex'es and in app data directories for secondary dex'es
69#   - managing (CRUD) profile files for both primary dex'es and secondary dex'es
70# - "fowner" is for adjusting the file permissions of compilation artifacts and
71#   profile files based on whether they include user data or not.
72# - "chown" is for transferring the ownership of compilation artifacts and
73#   profile files to the system or apps.
74allow artd self:global_capability_class_set { dac_override dac_read_search fowner chown };
75
76# Read/write access to profiles (/data/misc/profiles/{ref,cur}/...). Also allow
77# scanning /data/misc/profiles/cur, for cleaning up obsolete managed files.
78allow artd user_profile_root_file:dir r_dir_perms;
79allow artd user_profile_data_file:dir rw_dir_perms;
80allow artd user_profile_data_file:file create_file_perms;
81
82# Read/write access to secondary dex files, their profiles, and their
83# compilation artifacts
84# ({/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id>/<package-name>/...).
85allow artd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
86allow artd app_data_file_type:file { create_file_perms relabelfrom relabelto };
87
88# Allow symlinks for secondary dex files. This has be to restricted because
89# symlinks can cause various security issues. We allow "privapp_data_file" just
90# for GMS because so far we only see GMS using symlinks.
91allow artd privapp_data_file:lnk_file { getattr read };
92
93# Read access to SELinux context files, for restorecon.
94allow artd file_contexts_file:file r_file_perms;
95allow artd seapp_contexts_file:file r_file_perms;
96
97# Check validity of SELinux context, for restorecon.
98selinux_check_context(artd)
99
100# Allow scanning /, for cleaning up obsolete managed files.
101allow artd rootfs:dir r_dir_perms;
102
103# Allow scanning /data, for cleaning up obsolete managed files.
104allow artd system_data_root_file:dir r_dir_perms;
105
106# Allow scanning /mnt, for cleaning up obsolete managed files.
107allow artd tmpfs:dir r_dir_perms;
108
109# Allow scanning /mnt/expand, for cleaning up obsolete managed files.
110allow artd mnt_expand_file:dir r_dir_perms;
111
112# Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}, for cleaning
113# up obsolete managed files.
114allow artd system_userdir_file:dir r_dir_perms;
115
116# Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id> and
117# /mnt/expand/<volume-uuid>, for cleaning up obsolete managed files.
118allow artd system_data_file:dir r_dir_perms;
119
120# Never allow running other binaries without a domain transition.
121# The only exception is art_exec. It is allowed to use the artd domain because
122# it is a thin wrapper that executes other binaries on behalf of artd.
123neverallow artd ~{art_exec_exec}:file execute_no_trans;
124allow artd art_exec_exec:file rx_file_perms;
125
126# Allow running other binaries in their own domains.
127domain_auto_trans(artd, profman_exec, profman)
128domain_auto_trans(artd, dex2oat_exec, dex2oat)
129
130# Allow sending sigkill to subprocesses.
131allow artd { profman dex2oat }:process sigkill;
132
133# Allow reading process info (/proc/<pid>/...).
134# This is needed for getting CPU time and wall time spent on subprocesses.
135r_dir_file(artd, profman);
136r_dir_file(artd, dex2oat);
137