Merge "Audit access to libart"

app.te

@@ -10,6 +10,9 @@
 # WebView and other application-specific JIT compilers
 allow appdomain self:process execmem;
 
+# allow access to the interpreter
+allow appdomain libart_file:file { execute read open getattr };
+
 allow appdomain ashmem_device:chr_file execute;
 
 # Receive and use open file descriptors inherited from zygote.

dex2oat.te

@@ -6,6 +6,9 @@ r_dir_file(dex2oat, apk_data_file)
 
 allow dex2oat tmpfs:file { read getattr };
 
+# allow access to the interpreter
+allow dex2oat libart_file:file { execute read open getattr };
+
 r_dir_file(dex2oat, dalvikcache_data_file)
 allow dex2oat dalvikcache_data_file:file write;
 # Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where

domain.te

@@ -101,6 +101,17 @@ allow domain system_file:dir { search getattr };
 allow domain system_file:file { execute read open getattr };
 allow domain system_file:lnk_file read;
 
+# Initially grant all domains access to libart.
+# TODO move to a whitelist. b/29795519
+allow domain libart_file:file { execute read open getattr };
+auditallow {
+  domain
+  -appdomain
+  -dex2oat
+  -recovery
+  -zygote
+} libart_file:file { execute read open getattr };
+
 # read any sysfs symlinks
 allow domain sysfs:lnk_file read;
 
@@ -294,7 +305,7 @@ neverallow {
     userdebug_or_eng(`-su')
     -system_server
     -zygote
-} { file_type -system_file -exec_type -postinstall_file }:file execute;
+} { file_type -libart_file -system_file -exec_type -postinstall_file }:file execute;
 neverallow {
     domain
     -appdomain # for oemfs

file.te

@@ -68,6 +68,8 @@ type app_fusefs, fs_type, contextmount_type;
 type unlabeled, file_type;
 # Default type for anything under /system.
 type system_file, file_type;
+# Type for /system/*/libart*
+type libart_file, file_type;
 # Type for /system/bin/logcat.
 type logcat_exec, exec_type, file_type;
 # /cores for coredumps on userdebug / eng builds

file_contexts

@@ -216,7 +216,8 @@
 /system/bin/update_engine        u:object_r:update_engine_exec:s0
 /system/bin/bspatch              u:object_r:update_engine_exec:s0
 /system/bin/hw/wifi_hal_legacy   u:object_r:wifi_hal_legacy_exec:s0
-
+/system/fake-lib(64)?/libart.*   u:object_r:libart_file:s0
+/system/lib(64)?/libart.*        u:object_r:libart_file:s0
 
 #############################
 # Vendor files

recovery.te

@@ -28,7 +28,7 @@ recovery_only(`
 
   # Create and relabel files and directories under /system.
   allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
-  allow recovery system_file:{ file lnk_file } { create_file_perms relabelfrom relabelto };
+  allow recovery { system_file libart_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto };
   allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
 
   # We may be asked to set an SELinux label for a type not known to the

zygote.te

@@ -31,6 +31,7 @@ allow zygote resourcecache_data_file:dir rw_dir_perms;
 allow zygote resourcecache_data_file:file create_file_perms;
 # For art.
 allow zygote dalvikcache_data_file:file execute;
+allow zygote libart_file:file { execute read open getattr };
 # Execute idmap and dex2oat within zygote's own domain.
 # TODO:  Should either of these be transitioned to the same domain
 # used by installd or stay in-domain for zygote?