xref: /aosp_15_r20/system/sepolicy/prebuilts/api/202404/private/postinstall_dexopt.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1# Domain for the otapreopt executable, running under postinstall_dexopt
2#
3# Note: otapreopt is a driver for dex2oat, and reuses parts of installd. As such,
4# this is derived and adapted from installd.te.
5
6type postinstall_dexopt, domain, coredomain, mlstrustedsubject;
7type postinstall_dexopt_exec, system_file_type, exec_type, file_type;
8type postinstall_dexopt_tmpfs, file_type;
9
10# Run dex2oat/patchoat in its own sandbox.
11# We have to manually transition, as we don't have an entrypoint.
12# - Case where dex2oat is in a non-flattened APEX, which has retained
13#   the correct type (`dex2oat_exec`).
14domain_auto_trans(postinstall_dexopt, dex2oat_exec, dex2oat)
15# - Case where dex2oat is in a flattened APEX, which has been tagged
16#   with the `postinstall_file` type by update_engine.
17domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
18
19# Run derive_classpath to get the current BCP.
20domain_auto_trans(postinstall_dexopt, derive_classpath_exec, derive_classpath)
21# Allow postinstall_dexopt to make a tempfile for derive_classpath to write into
22tmpfs_domain(postinstall_dexopt);
23allow postinstall_dexopt postinstall_dexopt_tmpfs:file open;
24
25allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
26
27allow postinstall_dexopt postinstall_file:filesystem getattr;
28allow postinstall_dexopt postinstall_file:dir { getattr read search };
29allow postinstall_dexopt postinstall_file:lnk_file { getattr read };
30allow postinstall_dexopt proc_filesystems:file { getattr open read };
31allow postinstall_dexopt rootfs:file r_file_perms;
32
33allow postinstall_dexopt tmpfs:file read;
34
35# Allow access odsign verification status
36get_prop(postinstall_dexopt, odsign_prop)
37
38# Allow access to /postinstall/apex.
39allow postinstall_dexopt postinstall_apex_mnt_dir:dir { getattr search };
40
41# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
42# here and having to relabel the directory.
43
44# Read app data (APKs) as input to dex2oat.
45r_dir_file(postinstall_dexopt, apk_data_file)
46# Read vendor app data (APKs) as input to dex2oat.
47r_dir_file(postinstall_dexopt, vendor_app_file)
48# Read vendor overlay files (APKs) as input to dex2oat.
49r_dir_file(postinstall_dexopt, vendor_overlay_file)
50# Vendor overlay can be found in vendor apex
51allow postinstall_dexopt vendor_apex_metadata_file:dir { getattr search };
52# Access to app oat directory.
53r_dir_file(postinstall_dexopt, dalvikcache_data_file)
54
55# Read profile data.
56allow postinstall_dexopt { user_profile_root_file user_profile_data_file }:dir { getattr search };
57allow postinstall_dexopt user_profile_data_file:file r_file_perms;
58# Suppress deletion denial (we do not want to update the profile).
59dontaudit postinstall_dexopt user_profile_data_file:file { write };
60
61# Write to /data/ota(/*). Create symlinks in /data/ota(/*)
62allow postinstall_dexopt ota_data_file:dir create_dir_perms;
63allow postinstall_dexopt ota_data_file:file create_file_perms;
64allow postinstall_dexopt ota_data_file:lnk_file create_file_perms;
65
66# Need to write .b files, which are dalvikcache_data_file, not ota_data_file.
67# TODO: See whether we can apply ota_data_file?
68allow postinstall_dexopt dalvikcache_data_file:dir rw_dir_perms;
69allow postinstall_dexopt dalvikcache_data_file:file create_file_perms;
70
71# Allow labeling of files under /data/app/com.example/oat/
72# TODO: Restrict to .b suffix?
73allow postinstall_dexopt dalvikcache_data_file:dir relabelto;
74allow postinstall_dexopt dalvikcache_data_file:file { relabelto link };
75
76# Check validity of SELinux context before use.
77selinux_check_context(postinstall_dexopt)
78selinux_check_access(postinstall_dexopt)
79
80
81# Postinstall wants to know about our child.
82allow postinstall_dexopt postinstall:process sigchld;
83
84# Allow otapreopt to use file descriptors from otapreopt_chroot.
85# TODO: Probably we can actually close file descriptors...
86allow postinstall_dexopt otapreopt_chroot:fd use;
87
88# Allow postinstall_dexopt to access the runtime feature flag properties.
89get_prop(postinstall_dexopt, device_config_runtime_native_prop)
90get_prop(postinstall_dexopt, device_config_runtime_native_boot_prop)
91