1*e4a36f41SAndroid Build Coastguard Worker# dexoptanalyzer 2*e4a36f41SAndroid Build Coastguard Workertype dexoptanalyzer, domain, coredomain, mlstrustedsubject; 3*e4a36f41SAndroid Build Coastguard Workertype dexoptanalyzer_exec, system_file_type, exec_type, file_type; 4*e4a36f41SAndroid Build Coastguard Workertype dexoptanalyzer_tmpfs, file_type; 5*e4a36f41SAndroid Build Coastguard Worker 6*e4a36f41SAndroid Build Coastguard Workerr_dir_file(dexoptanalyzer, apk_data_file) 7*e4a36f41SAndroid Build Coastguard Worker# Access to /vendor/app 8*e4a36f41SAndroid Build Coastguard Workerr_dir_file(dexoptanalyzer, vendor_app_file) 9*e4a36f41SAndroid Build Coastguard Worker 10*e4a36f41SAndroid Build Coastguard Worker# Reading an APK opens a ZipArchive, which unpack to tmpfs. 11*e4a36f41SAndroid Build Coastguard Worker# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their 12*e4a36f41SAndroid Build Coastguard Worker# own label, which differs from other labels created by other processes. 13*e4a36f41SAndroid Build Coastguard Worker# This allows to distinguish in policy files created by dexoptanalyzer vs other 14*e4a36f41SAndroid Build Coastguard Worker#processes. 15*e4a36f41SAndroid Build Coastguard Workertmpfs_domain(dexoptanalyzer) 16*e4a36f41SAndroid Build Coastguard Worker 17*e4a36f41SAndroid Build Coastguard Worker# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot 18*e4a36f41SAndroid Build Coastguard Worker# app_data_file the oat file is symlinked to the original file in /system. 19*e4a36f41SAndroid Build Coastguard Workerallow dexoptanalyzer dalvikcache_data_file:dir { getattr search }; 20*e4a36f41SAndroid Build Coastguard Workerallow dexoptanalyzer dalvikcache_data_file:file r_file_perms; 21*e4a36f41SAndroid Build Coastguard Workerallow dexoptanalyzer dalvikcache_data_file:lnk_file read; 22*e4a36f41SAndroid Build Coastguard Worker 23*e4a36f41SAndroid Build Coastguard Workerallow dexoptanalyzer installd:fd use; 24*e4a36f41SAndroid Build Coastguard Workerallow dexoptanalyzer installd:fifo_file { getattr write }; 25*e4a36f41SAndroid Build Coastguard Worker 26*e4a36f41SAndroid Build Coastguard Worker# Acquire advisory lock on /system/framework/arm/* 27*e4a36f41SAndroid Build Coastguard Workerallow dexoptanalyzer system_file:file lock; 28*e4a36f41SAndroid Build Coastguard Worker 29*e4a36f41SAndroid Build Coastguard Worker# Allow reading secondary dex files that were reported by the app to the 30*e4a36f41SAndroid Build Coastguard Worker# package manager. 31*e4a36f41SAndroid Build Coastguard Workerallow dexoptanalyzer { privapp_data_file app_data_file }:dir { getattr search }; 32*e4a36f41SAndroid Build Coastguard Workerallow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map }; 33*e4a36f41SAndroid Build Coastguard Worker# dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the 34*e4a36f41SAndroid Build Coastguard Worker# "dontaudit...audit_access" policy line to suppress the audit access without 35*e4a36f41SAndroid Build Coastguard Worker# suppressing denial on actual access. 36*e4a36f41SAndroid Build Coastguard Workerdontaudit dexoptanalyzer { privapp_data_file app_data_file }:dir audit_access; 37*e4a36f41SAndroid Build Coastguard Worker 38*e4a36f41SAndroid Build Coastguard Worker# Allow testing /data/user/0 which symlinks to /data/data 39*e4a36f41SAndroid Build Coastguard Workerallow dexoptanalyzer system_data_file:lnk_file { getattr }; 40