1# ART service daemon. 2typeattribute artd coredomain; 3typeattribute artd mlstrustedsubject; 4type artd_exec, system_file_type, exec_type, file_type; 5type artd_tmpfs, file_type; 6 7# Allow artd to publish a binder service and make binder calls. 8binder_use(artd) 9add_service(artd, artd_service) 10allow artd dumpstate:fifo_file { getattr write }; 11 12init_daemon_domain(artd) 13 14# Allow query ART device config properties 15get_prop(artd, device_config_runtime_native_prop) 16get_prop(artd, device_config_runtime_native_boot_prop) 17 18# Access to "odsign.verification.success" for deciding whether to deny files in 19# the ART APEX data directory. 20get_prop(artd, odsign_prop) 21 22# Reading an APK opens a ZipArchive, which unpack to tmpfs. 23# Use tmpfs_domain() which will give tmpfs files created by artd their 24# own label, which differs from other labels created by other processes. 25# This allows to distinguish in policy files created by artd vs other 26# processes. 27tmpfs_domain(artd) 28 29# Allow testing userfaultfd support. 30userfaultfd_use(artd) 31 32# Read access to primary dex'es on writable partitions 33# ({/data,/mnt/expand/<volume-uuid>}/app/...). 34# Also allow creating the "oat" directory before restorecon. 35allow artd mnt_expand_file:dir { getattr search }; 36allow artd apk_data_file:dir { rw_dir_perms create setattr relabelfrom }; 37allow artd apk_data_file:file r_file_perms; 38 39# Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...). 40r_dir_file(artd, vendor_app_file) 41 42# Read access to vendor overlay APKs ({/vendor,/odm,/oem}/overlay/...). 43allow artd oemfs:dir { getattr search }; 44r_dir_file(artd, vendor_overlay_file) 45 46# Read access to vendor shared libraries ({/vendor,/odm}/framework/...). 47r_dir_file(artd, vendor_framework_file) 48 49# Read/write access to all compilation artifacts generated on device for apps' 50# primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.) 51allow artd dalvikcache_data_file:dir { create_dir_perms relabelto }; 52allow artd dalvikcache_data_file:file { create_file_perms relabelto }; 53 54# Read access to the ART APEX data directory. 55# Needed for reading the boot image generated on device. 56allow artd apex_module_data_file:dir { getattr search }; 57r_dir_file(artd, apex_art_data_file) 58 59# Read access to /apex/apex-info-list.xml 60# Needed for getting APEX versions. 61allow artd apex_info_file:file r_file_perms; 62 63# Allow getting root capabilities to bypass permission checks. 64# - "dac_override" and "dac_read_search" are for 65# - reading secondary dex'es in app data directories (reading primary dex'es 66# doesn't need root capabilities) 67# - managing (CRUD) compilation artifacts in both APK directories for primary 68# dex'es and in app data directories for secondary dex'es 69# - managing (CRUD) profile files for both primary dex'es and secondary dex'es 70# - "fowner" is for adjusting the file permissions of compilation artifacts and 71# profile files based on whether they include user data or not. 72# - "chown" is for transferring the ownership of compilation artifacts and 73# profile files to the system or apps. 74allow artd self:global_capability_class_set { dac_override dac_read_search fowner chown }; 75 76# Read/write access to profiles (/data/misc/profiles/{ref,cur}/...). Also allow 77# scanning /data/misc/profiles/cur, for cleaning up obsolete managed files. 78allow artd user_profile_root_file:dir r_dir_perms; 79allow artd user_profile_data_file:dir rw_dir_perms; 80allow artd user_profile_data_file:file create_file_perms; 81 82# Read/write access to secondary dex files, their profiles, and their 83# compilation artifacts 84# ({/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id>/<package-name>/...). 85allow artd app_data_file_type:dir { create_dir_perms relabelfrom relabelto }; 86allow artd app_data_file_type:file { create_file_perms relabelfrom relabelto }; 87 88# Allow symlinks for secondary dex files. This has be to restricted because 89# symlinks can cause various security issues. We allow "privapp_data_file" just 90# for GMS because so far we only see GMS using symlinks. 91allow artd privapp_data_file:lnk_file { getattr read }; 92 93# Read access to SELinux context files, for restorecon. 94allow artd file_contexts_file:file r_file_perms; 95allow artd seapp_contexts_file:file r_file_perms; 96 97# Check validity of SELinux context, for restorecon. 98selinux_check_context(artd) 99 100# Allow scanning /, for cleaning up obsolete managed files. 101allow artd rootfs:dir r_dir_perms; 102 103# Allow scanning /data, for cleaning up obsolete managed files. 104allow artd system_data_root_file:dir r_dir_perms; 105 106# Allow scanning /mnt, for cleaning up obsolete managed files. 107allow artd tmpfs:dir r_dir_perms; 108 109# Allow scanning /mnt/expand, for cleaning up obsolete managed files. 110allow artd mnt_expand_file:dir r_dir_perms; 111 112# Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}, for cleaning 113# up obsolete managed files. 114allow artd system_userdir_file:dir r_dir_perms; 115 116# Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id> and 117# /mnt/expand/<volume-uuid>, for cleaning up obsolete managed files. 118allow artd system_data_file:dir r_dir_perms; 119 120# Never allow running other binaries without a domain transition. 121# The only exception is art_exec. It is allowed to use the artd domain because 122# it is a thin wrapper that executes other binaries on behalf of artd. 123neverallow artd ~{art_exec_exec}:file execute_no_trans; 124allow artd art_exec_exec:file rx_file_perms; 125 126# Allow running other binaries in their own domains. 127domain_auto_trans(artd, profman_exec, profman) 128domain_auto_trans(artd, dex2oat_exec, dex2oat) 129 130# Allow sending sigkill to subprocesses. 131allow artd { profman dex2oat }:process sigkill; 132 133# Allow reading process info (/proc/<pid>/...). 134# This is needed for getting CPU time and wall time spent on subprocesses. 135r_dir_file(artd, profman); 136r_dir_file(artd, dex2oat); 137