xref: /aosp_15_r20/system/sepolicy/private/artd.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1# ART service daemon.
2typeattribute artd coredomain;
3typeattribute artd mlstrustedsubject;
4type artd_exec, system_file_type, exec_type, file_type;
5type artd_tmpfs, file_type;
6
7# All types of artd subprocesses, which artd can kill.
8attribute artd_subprocess_type;
9
10# Allow artd to publish a binder service and make binder calls.
11binder_use(artd)
12add_service(artd, artd_service)
13add_service(artd, artd_pre_reboot_service)
14allow artd dumpstate:fifo_file { getattr write };
15allow artd dumpstate:fd use;
16
17init_daemon_domain(artd)
18
19# Allow query ART device config properties
20get_prop(artd, device_config_runtime_native_prop)
21get_prop(artd, device_config_runtime_native_boot_prop)
22
23# Access to "odsign.verification.success" for deciding whether to deny files in
24# the ART APEX data directory.
25get_prop(artd, odsign_prop)
26
27# Reading an APK opens a ZipArchive, which unpack to tmpfs.
28# Use tmpfs_domain() which will give tmpfs files created by artd their
29# own label, which differs from other labels created by other processes.
30# This allows to distinguish in policy files created by artd vs other
31# processes.
32tmpfs_domain(artd)
33
34# Allow testing userfaultfd support.
35userfaultfd_use(artd)
36
37# Read access to primary dex'es on writable partitions
38# ({/data,/mnt/expand/<volume-uuid>}/app/...).
39# Also allow creating the "oat" directory before restorecon.
40allow artd mnt_expand_file:dir { getattr search };
41allow artd apk_data_file:dir { rw_dir_perms create setattr relabelfrom };
42allow artd apk_data_file:file r_file_perms;
43allow artd apk_tmp_file:dir { rw_dir_perms create setattr relabelfrom };
44allow artd apk_tmp_file:file r_file_perms;
45
46# Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
47r_dir_file(artd, vendor_app_file)
48
49# Read access to vendor overlay APKs ({/vendor,/odm,/oem,/apex/*}/overlay/...).
50allow artd oemfs:dir { getattr search };
51r_dir_file(artd, vendor_overlay_file)
52# Vendor overlay can be found in vendor apex
53allow artd vendor_apex_metadata_file:dir { getattr search };
54
55# Read access to vendor shared libraries ({/vendor,/odm}/framework/...).
56r_dir_file(artd, vendor_framework_file)
57
58# Read/write access to all compilation artifacts generated on device for apps'
59# primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
60allow artd dalvikcache_data_file:dir { create_dir_perms relabelto };
61allow artd dalvikcache_data_file:file { create_file_perms relabelto };
62
63# Read access to the ART APEX data directory.
64# Needed for reading the boot image generated on device.
65allow artd apex_module_data_file:dir { getattr search };
66r_dir_file(artd, apex_art_data_file)
67
68# Read access to /apex/apex-info-list.xml
69# Needed for getting APEX versions.
70allow artd apex_info_file:file r_file_perms;
71
72# Allow getting root capabilities to bypass permission checks.
73# - "dac_override" and "dac_read_search" are for
74#   - reading secondary dex'es in app data directories (reading primary dex'es
75#     doesn't need root capabilities)
76#   - managing (CRUD) compilation artifacts in both APK directories for primary
77#     dex'es and in app data directories for secondary dex'es
78#   - managing (CRUD) profile files for both primary dex'es and secondary dex'es
79# - "fowner" is for adjusting the file permissions of compilation artifacts and
80#   profile files based on whether they include user data or not.
81# - "chown" is for transferring the ownership of compilation artifacts and
82#   profile files to the system or apps.
83allow artd self:global_capability_class_set { dac_override dac_read_search fowner chown };
84
85# Read/write access to profiles (/data/misc/profiles/{ref,cur}/...). Also allow
86# scanning /data/misc/profiles/cur, for cleaning up obsolete managed files.
87allow artd user_profile_root_file:dir r_dir_perms;
88allow artd user_profile_data_file:dir rw_dir_perms;
89allow artd user_profile_data_file:file create_file_perms;
90
91# Read/write access to secondary dex files, their profiles, and their
92# compilation artifacts
93# ({/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id>/<package-name>/...).
94allow artd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
95allow artd app_data_file_type:file { create_file_perms relabelfrom relabelto };
96
97# Allow symlinks for secondary dex files. This has be to restricted because
98# symlinks can cause various security issues. We allow "privapp_data_file" just
99# for GMS because so far we only see GMS using symlinks.
100allow artd privapp_data_file:lnk_file { getattr read };
101
102# Read access to SELinux context files, for restorecon.
103allow artd file_contexts_file:file r_file_perms;
104allow artd seapp_contexts_file:file r_file_perms;
105
106# Check validity of SELinux context, for restorecon.
107selinux_check_context(artd)
108
109# Allow scanning /, for cleaning up obsolete managed files.
110allow artd rootfs:dir r_dir_perms;
111
112# Allow scanning /data, for cleaning up obsolete managed files.
113allow artd system_data_root_file:dir r_dir_perms;
114
115# Allow scanning /mnt, for cleaning up obsolete managed files.
116allow artd tmpfs:dir r_dir_perms;
117
118# Allow scanning /mnt/expand, for cleaning up obsolete managed files.
119allow artd mnt_expand_file:dir r_dir_perms;
120
121# Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}, for cleaning
122# up obsolete managed files.
123allow artd system_userdir_file:dir r_dir_perms;
124
125# Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id> and
126# /mnt/expand/<volume-uuid>, for cleaning up obsolete managed files.
127allow artd system_data_file:dir r_dir_perms;
128
129# Allow art_exec_exec to use the artd domain because it is a thin wrapper that
130# executes other binaries on behalf of artd. Domain transition will take place
131# as soon as art_exec_exec executes other binaries.
132allow artd art_exec_exec:file rx_file_perms;
133
134# Allow running other binaries in their own domains.
135domain_auto_trans(artd, profman_exec, profman)
136domain_auto_trans(artd, dex2oat_exec, dex2oat)
137
138# Allow sending sigkill to subprocesses.
139allow artd artd_subprocess_type:process sigkill;
140
141# Allow reading process info (/proc/<pid>/...).
142# This is needed for getting CPU time and wall time spent on subprocesses.
143r_dir_file(artd, profman);
144r_dir_file(artd, dex2oat);
145
146# Allow artd to reopen its own memfd.
147# artd needs to reopen a memfd with readonly in order to pass it to subprocesses
148# that don't have write permissions on memfds.
149allow artd artd_tmpfs:file open;
150
151# For Pre-reboot Dexopt.
152
153# Allow init to execute artd through art_exec.
154allow artd art_exec:fd use;
155
156# During Pre-reboot Dexopt, artd needs one more capability:
157# - "sys_admin" is for bind-mounting temp dirs at
158#   /data/misc/apexdata/com.android.art and /data/misc/odrefresh, to run
159#   odrefresh innocuously (in a way that doesn't affect the real boot images,
160#   metrics, etc.).
161allow artd self:global_capability_class_set sys_admin;
162
163# Allow running other binaries in their own domains.
164domain_auto_trans(artd, derive_classpath_exec, derive_classpath)
165domain_auto_trans(artd, odrefresh_exec, odrefresh)
166
167# Allow accessing Pre-reboot Dexopt files.
168allow artd pre_reboot_dexopt_file:dir { getattr search };
169
170# Allow reading /init.environ.rc in chroot, to extract env vars from it.
171allow artd rootfs:file { read open getattr };
172
173# Allow managing Pre-reboot Dexopt temp files.
174# The root of the temp dir that artd uses during Pre-reboot Dexopt is labeled
175# pre_reboot_dexopt_artd_file. Inside the temp dir, we create files and dirs and
176# relabel them after creation, so we need relabelfrom.
177allow artd pre_reboot_dexopt_artd_file:dir { create_dir_perms relabelfrom };
178allow artd pre_reboot_dexopt_artd_file:file { create_file_perms relabelfrom };
179
180# Allow bind-mounting at /data/misc/apexdata/com.android.art and
181# /data/misc/odrefresh and restorecon, to run odrefresh innocuously.
182allow artd { apex_art_data_file odrefresh_data_file }:dir relabelto;
183allow artd { apex_art_data_file odrefresh_data_file pre_reboot_dexopt_artd_file }:dir mounton;
184
185# Neverallow rules.
186
187# Never allow running other binaries without a domain transition.
188# The exception for art_exec_exec is explained above.
189neverallow artd ~{art_exec_exec}:file execute_no_trans;
190
191# Make sure artd_subprocess_type is complete, in a sense that it includes all
192# types of artd subprocesses.
193neverallow artd ~{artd_subprocess_type crash_dump}:process transition;
194
195# artd uses process groups to manage subprocesses and kill them. To ensure
196# successful kill, we need to prevent subprocesses from changing their
197# process groups or transitioning to other domains.
198# Transitioning crash_dump is allowed because it is transient and is only used
199# upon crashes.
200neverallow artd_subprocess_type self:process setpgid;
201neverallow artd_subprocess_type ~{artd_subprocess_type crash_dump}:process transition;
202