Skip to content
Snippets Groups Projects
  • Roland Levillain's avatar
    Allow dexoptanalyzer to mmap files with Linux 4.14+ that it can already access. · d8a9a493
    Roland Levillain authored
    SELinux has a separate file mmap permission in 4.14+ kernels. Add this
    to dexoptanalyzer(d) in cases where it could already access files (in
    particular, secondary dex files).
    
    Addresses denials of the form:
    
      avc: denied { map } for […] path="/data/data/[…]" […]
      scontext=u:r:dexoptanalyzer:s0 tcontext=u:object_r:app_data_file:s0
    
    (cherry picked from commit c72b7d17310499f6bd6545e0e509fd603045d329)
    
    Test: Reproduce steps in bug 138683603 on a device with a 4.14+ kernel
          and check the absence of SELinux denials
    Bug: 138683603
    
    Change-Id: Ieba53eb431c0ba3914dcb5e5abdae667bd063555
    d8a9a493
dexoptanalyzer.te 1.56 KiB
# dexoptanalyzer
type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
type dexoptanalyzer_tmpfs, file_type;

# Reading an APK opens a ZipArchive, which unpack to tmpfs.
# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
# own label, which differs from other labels created by other processes.
# This allows to distinguish in policy files created by dexoptanalyzer vs other
#processes.
tmpfs_domain(dexoptanalyzer)

# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
# app_data_file the oat file is symlinked to the original file in /system.
allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
allow dexoptanalyzer dalvikcache_data_file:file r_file_perms;
allow dexoptanalyzer dalvikcache_data_file:lnk_file read;

allow dexoptanalyzer installd:fd use;
allow dexoptanalyzer installd:fifo_file { getattr write };

# Allow reading secondary dex files that were reported by the app to the
# package manager.
allow dexoptanalyzer { privapp_data_file app_data_file }:dir { getattr search };
allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map };
# dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
# "dontaudit...audit_access" policy line to suppress the audit access without
# suppressing denial on actual access.
dontaudit dexoptanalyzer { privapp_data_file app_data_file }:dir audit_access;

# Allow testing /data/user/0 which symlinks to /data/data
allow dexoptanalyzer system_data_file:lnk_file { getattr };