1*e4a36f41SAndroid Build Coastguard Workertypeattribute profman coredomain; 2*e4a36f41SAndroid Build Coastguard Workertypeattribute profman artd_subprocess_type; 3*e4a36f41SAndroid Build Coastguard Worker 4*e4a36f41SAndroid Build Coastguard Worker# Allow profman to read APKs and profile files next to them by FDs passed from 5*e4a36f41SAndroid Build Coastguard Worker# other programs. In addition, allow profman to acquire flocks on those files. 6*e4a36f41SAndroid Build Coastguard Workerallow profman { 7*e4a36f41SAndroid Build Coastguard Worker system_file 8*e4a36f41SAndroid Build Coastguard Worker apk_data_file 9*e4a36f41SAndroid Build Coastguard Worker apk_tmp_file 10*e4a36f41SAndroid Build Coastguard Worker vendor_app_file 11*e4a36f41SAndroid Build Coastguard Worker}:file { getattr read map lock }; 12*e4a36f41SAndroid Build Coastguard Worker 13*e4a36f41SAndroid Build Coastguard Worker# Allow profman to use file descriptors passed from privileged programs. 14*e4a36f41SAndroid Build Coastguard Workerallow profman { artd installd }:fd use; 15*e4a36f41SAndroid Build Coastguard Worker 16*e4a36f41SAndroid Build Coastguard Worker# Allow profman to read from memfd created by artd. 17*e4a36f41SAndroid Build Coastguard Worker# profman needs to read the embedded profile that artd extracts from an APK, 18*e4a36f41SAndroid Build Coastguard Worker# which is passed by a memfd. 19*e4a36f41SAndroid Build Coastguard Workerallow profman artd_tmpfs:file { getattr read map lock }; 20*e4a36f41SAndroid Build Coastguard Worker 21*e4a36f41SAndroid Build Coastguard Workerallow profman user_profile_data_file:file { getattr read write lock map }; 22*e4a36f41SAndroid Build Coastguard Worker 23*e4a36f41SAndroid Build Coastguard Worker# Dumping profile info opens the application APK file for pretty printing. 24*e4a36f41SAndroid Build Coastguard Workerallow profman asec_apk_file:file { read map }; 25*e4a36f41SAndroid Build Coastguard Workerallow profman apk_data_file:file { getattr read map }; 26*e4a36f41SAndroid Build Coastguard Workerallow profman apk_data_file:dir { getattr read search }; 27*e4a36f41SAndroid Build Coastguard Workerallow profman apk_tmp_file:dir { getattr read search }; 28*e4a36f41SAndroid Build Coastguard Worker 29*e4a36f41SAndroid Build Coastguard Workerallow profman oemfs:file { read map }; 30*e4a36f41SAndroid Build Coastguard Worker# Reading an APK opens a ZipArchive, which unpack to tmpfs. 31*e4a36f41SAndroid Build Coastguard Workerallow profman tmpfs:file { read map }; 32*e4a36f41SAndroid Build Coastguard Workerallow profman profman_dump_data_file:file { write map }; 33*e4a36f41SAndroid Build Coastguard Worker 34*e4a36f41SAndroid Build Coastguard Worker# Allow profman to analyze profiles for the secondary dex files. These 35*e4a36f41SAndroid Build Coastguard Worker# are application dex files reported back to the framework when using 36*e4a36f41SAndroid Build Coastguard Worker# BaseDexClassLoader. 37*e4a36f41SAndroid Build Coastguard Workerallow profman { privapp_data_file app_data_file }:file { getattr read write lock map }; 38*e4a36f41SAndroid Build Coastguard Workerallow profman { privapp_data_file app_data_file }:dir { getattr read search }; 39*e4a36f41SAndroid Build Coastguard Worker 40*e4a36f41SAndroid Build Coastguard Worker# Allow query ART device config properties 41*e4a36f41SAndroid Build Coastguard Workerget_prop(profman, device_config_runtime_native_prop) 42*e4a36f41SAndroid Build Coastguard Workerget_prop(profman, device_config_runtime_native_boot_prop) 43*e4a36f41SAndroid Build Coastguard Worker 44*e4a36f41SAndroid Build Coastguard Worker### 45*e4a36f41SAndroid Build Coastguard Worker### neverallow rules 46*e4a36f41SAndroid Build Coastguard Worker### 47*e4a36f41SAndroid Build Coastguard Worker 48*e4a36f41SAndroid Build Coastguard Workerneverallow profman app_data_file_type:notdevfile_class_set open; 49