1# ART service daemon. 2typeattribute artd coredomain; 3typeattribute artd mlstrustedsubject; 4type artd_exec, system_file_type, exec_type, file_type; 5type artd_tmpfs, file_type; 6 7# Allow artd to publish a binder service and make binder calls. 8binder_use(artd) 9add_service(artd, artd_service) 10add_service(artd, artd_pre_reboot_service) 11allow artd dumpstate:fifo_file { getattr write }; 12allow artd dumpstate:fd use; 13 14init_daemon_domain(artd) 15 16# Allow query ART device config properties 17get_prop(artd, device_config_runtime_native_prop) 18get_prop(artd, device_config_runtime_native_boot_prop) 19 20# Access to "odsign.verification.success" for deciding whether to deny files in 21# the ART APEX data directory. 22get_prop(artd, odsign_prop) 23 24# Reading an APK opens a ZipArchive, which unpack to tmpfs. 25# Use tmpfs_domain() which will give tmpfs files created by artd their 26# own label, which differs from other labels created by other processes. 27# This allows to distinguish in policy files created by artd vs other 28# processes. 29tmpfs_domain(artd) 30 31# Allow testing userfaultfd support. 32userfaultfd_use(artd) 33 34# Read access to primary dex'es on writable partitions 35# ({/data,/mnt/expand/<volume-uuid>}/app/...). 36# Also allow creating the "oat" directory before restorecon. 37allow artd mnt_expand_file:dir { getattr search }; 38allow artd apk_data_file:dir { rw_dir_perms create setattr relabelfrom }; 39allow artd apk_data_file:file r_file_perms; 40 41# Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...). 42r_dir_file(artd, vendor_app_file) 43 44# Read access to vendor overlay APKs ({/vendor,/odm,/oem,/apex/*}/overlay/...). 45allow artd oemfs:dir { getattr search }; 46r_dir_file(artd, vendor_overlay_file) 47# Vendor overlay can be found in vendor apex 48allow artd vendor_apex_metadata_file:dir { getattr search }; 49 50# Read access to vendor shared libraries ({/vendor,/odm}/framework/...). 51r_dir_file(artd, vendor_framework_file) 52 53# Read/write access to all compilation artifacts generated on device for apps' 54# primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.) 55allow artd dalvikcache_data_file:dir { create_dir_perms relabelto }; 56allow artd dalvikcache_data_file:file { create_file_perms relabelto }; 57 58# Read access to the ART APEX data directory. 59# Needed for reading the boot image generated on device. 60allow artd apex_module_data_file:dir { getattr search }; 61r_dir_file(artd, apex_art_data_file) 62 63# Read access to /apex/apex-info-list.xml 64# Needed for getting APEX versions. 65allow artd apex_info_file:file r_file_perms; 66 67# Allow getting root capabilities to bypass permission checks. 68# - "dac_override" and "dac_read_search" are for 69# - reading secondary dex'es in app data directories (reading primary dex'es 70# doesn't need root capabilities) 71# - managing (CRUD) compilation artifacts in both APK directories for primary 72# dex'es and in app data directories for secondary dex'es 73# - managing (CRUD) profile files for both primary dex'es and secondary dex'es 74# - "fowner" is for adjusting the file permissions of compilation artifacts and 75# profile files based on whether they include user data or not. 76# - "chown" is for transferring the ownership of compilation artifacts and 77# profile files to the system or apps. 78allow artd self:global_capability_class_set { dac_override dac_read_search fowner chown }; 79 80# Read/write access to profiles (/data/misc/profiles/{ref,cur}/...). Also allow 81# scanning /data/misc/profiles/cur, for cleaning up obsolete managed files. 82allow artd user_profile_root_file:dir r_dir_perms; 83allow artd user_profile_data_file:dir rw_dir_perms; 84allow artd user_profile_data_file:file create_file_perms; 85 86# Read/write access to secondary dex files, their profiles, and their 87# compilation artifacts 88# ({/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id>/<package-name>/...). 89allow artd app_data_file_type:dir { create_dir_perms relabelfrom relabelto }; 90allow artd app_data_file_type:file { create_file_perms relabelfrom relabelto }; 91 92# Allow symlinks for secondary dex files. This has be to restricted because 93# symlinks can cause various security issues. We allow "privapp_data_file" just 94# for GMS because so far we only see GMS using symlinks. 95allow artd privapp_data_file:lnk_file { getattr read }; 96 97# Read access to SELinux context files, for restorecon. 98allow artd file_contexts_file:file r_file_perms; 99allow artd seapp_contexts_file:file r_file_perms; 100 101# Check validity of SELinux context, for restorecon. 102selinux_check_context(artd) 103 104# Allow scanning /, for cleaning up obsolete managed files. 105allow artd rootfs:dir r_dir_perms; 106 107# Allow scanning /data, for cleaning up obsolete managed files. 108allow artd system_data_root_file:dir r_dir_perms; 109 110# Allow scanning /mnt, for cleaning up obsolete managed files. 111allow artd tmpfs:dir r_dir_perms; 112 113# Allow scanning /mnt/expand, for cleaning up obsolete managed files. 114allow artd mnt_expand_file:dir r_dir_perms; 115 116# Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}, for cleaning 117# up obsolete managed files. 118allow artd system_userdir_file:dir r_dir_perms; 119 120# Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id> and 121# /mnt/expand/<volume-uuid>, for cleaning up obsolete managed files. 122allow artd system_data_file:dir r_dir_perms; 123 124# Never allow running other binaries without a domain transition. 125# The only exception is art_exec. It is allowed to use the artd domain because 126# it is a thin wrapper that executes other binaries on behalf of artd. 127neverallow artd ~{art_exec_exec}:file execute_no_trans; 128allow artd art_exec_exec:file rx_file_perms; 129 130# Allow running other binaries in their own domains. 131domain_auto_trans(artd, profman_exec, profman) 132domain_auto_trans(artd, dex2oat_exec, dex2oat) 133 134# Allow sending sigkill to subprocesses. 135allow artd { profman dex2oat }:process sigkill; 136 137# Allow reading process info (/proc/<pid>/...). 138# This is needed for getting CPU time and wall time spent on subprocesses. 139r_dir_file(artd, profman); 140r_dir_file(artd, dex2oat); 141 142# Allow artd to reopen its own memfd. 143# artd needs to reopen a memfd with readonly in order to pass it to subprocesses 144# that don't have write permissions on memfds. 145allow artd artd_tmpfs:file open; 146