[layout compilation] Modify sepolicy to allow installd to run viewcompiler

We will generate precompiled layouts as part of the package install or upgrade process. This means installd needs to be able to invoke viewcompiler. This change gives installd and viewcompiler the minimal set of permissions needed for this to work. Bug: 111895153 Test: manual Change-Id: Ic1fe60bd264c497b5f79d9e1d77c2da4e092377b

[layout compilation] Modify sepolicy to allow installd to run viewcompiler
We will generate precompiled layouts as part of the package install or upgrade process. This means installd needs to be able to invoke viewcompiler. This change gives installd and viewcompiler the minimal set of permissions needed for this to work. Bug: 111895153 Test: manual Change-Id: Ic1fe60bd264c497b5f79d9e1d77c2da4e092377b
f8dfb5f8 · Eric Holk · d25f1303 · f8dfb5f8 · f8dfb5f8 · f8dfb5f8
Commit f8dfb5f8 authored 6 years ago by Eric Holk
--- a/private/domain.te
+++ b/private/domain.te
@@ -108,6 +108,7 @@ neverallow {
  -rs # spawned by appdomain, so carryover the exception above
  -runas
  -system_server
+  -viewcompiler
 } { privapp_data_file app_data_file }:dir *;
 # Only apps should be modifying app data. installd is exempted for

--- a/private/file_contexts
+++ b/private/file_contexts
@@ -272,6 +272,7 @@
 /system/bin/dexoptanalyzer(d)?     u:object_r:dexoptanalyzer_exec:s0
 # patchoat executable has (essentially) the same requirements as dex2oat.
 /system/bin/patchoat(d)?    u:object_r:dex2oat_exec:s0
+/system/bin/viewcompiler     u:object_r:viewcompiler_exec:s0
 /system/bin/profman(d)?     u:object_r:profman_exec:s0
 /system/bin/iorapd          u:object_r:iorapd_exec:s0
 /system/bin/sgdisk      u:object_r:sgdisk_exec:s0

--- a/private/installd.te
+++ b/private/installd.te
@@ -8,6 +8,9 @@ domain_auto_trans(installd, dex2oat_exec, dex2oat)
 # Run dexoptanalyzer in its own sandbox.
 domain_auto_trans(installd, dexoptanalyzer_exec, dexoptanalyzer)
+# Run viewcompiler in its own sandbox.
+domain_auto_trans(installd, viewcompiler_exec, viewcompiler)
 # Run profman in its own sandbox.
 domain_auto_trans(installd, profman_exec, profman)

--- a/private/viewcompiler.te
+++ b/private/viewcompiler.te
+# viewcompiler
+type viewcompiler, domain, coredomain, mlstrustedsubject;
+type viewcompiler_exec, system_file_type, exec_type, file_type;
+# Reading an APK opens a ZipArchive, which unpack to tmpfs.
+# Use tmpfs_domain() which will give tmpfs files created by viewcompiler their
+# own label, which differs from other labels created by other processes.
+# This allows to distinguish in policy files created by viewcompiler vs other
+# processes.
+tmpfs_domain(viewcompiler)
+allow viewcompiler installd:fd use;
+# Include write permission for app data files so viewcompiler can generate
+# compiled layout dex files
+allow viewcompiler app_data_file:file { getattr write };
+# Allow the view compiler to read resources from the apps APK.
+allow viewcompiler apk_data_file:file read;
+# priv-apps are moving to a world where they can only execute
+# signed code. Make sure viewcompiler never can write to privapp
+# directories to avoid introducing unsigned executable code
+neverallow viewcompiler privapp_data_file:file no_w_file_perms;