1# dex2oat 2type dex2oat, domain, coredomain; 3type dex2oat_exec, system_file_type, exec_type, file_type; 4 5r_dir_file(dex2oat, apk_data_file) 6# Access to /vendor/app 7r_dir_file(dex2oat, vendor_app_file) 8# Access /vendor/framework 9allow dex2oat vendor_framework_file:dir { getattr search }; 10allow dex2oat vendor_framework_file:file { getattr open read map }; 11 12allow dex2oat tmpfs:file { read getattr map }; 13 14r_dir_file(dex2oat, dalvikcache_data_file) 15allow dex2oat dalvikcache_data_file:file write; 16# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where 17# the oat file is symlinked to the original file in /system. 18allow dex2oat dalvikcache_data_file:lnk_file read; 19allow dex2oat installd:fd use; 20 21# Acquire advisory lock on /system/framework/arm/* 22allow dex2oat system_file:file lock; 23 24# Read already open asec_apk_file file descriptors passed by installd. 25# Also allow reading unlabeled files, to allow for upgrading forward 26# locked APKs. 27allow dex2oat asec_apk_file:file { read map }; 28allow dex2oat unlabeled:file { read map }; 29allow dex2oat oemfs:file { read map }; 30allow dex2oat apk_tmp_file:dir search; 31allow dex2oat apk_tmp_file:file r_file_perms; 32allow dex2oat user_profile_data_file:file { getattr read lock map }; 33 34# Allow dex2oat to compile app's secondary dex files which were reported back to 35# the framework. 36allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock map }; 37 38################## 39# A/B OTA Dexopt # 40################## 41 42# Allow dex2oat to use file descriptors from otapreopt. 43allow dex2oat postinstall_dexopt:fd use; 44 45# Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker). 46allow dex2oat postinstall_file:dir r_dir_perms; 47allow dex2oat postinstall_file:filesystem getattr; 48allow dex2oat postinstall_file:lnk_file { getattr read }; 49allow dex2oat postinstall_file:file read; 50# Allow dex2oat to use libraries under /postinstall/system (e.g. /system/lib/libc.so). 51# TODO(b/120266448): Remove when Bionic libraries are part of the Runtime APEX. 52allow dex2oat postinstall_file:file { execute getattr open }; 53 54# Allow dex2oat access to /postinstall/apex. 55allow dex2oat postinstall_apex_mnt_dir:dir { getattr search }; 56 57# Allow dex2oat access to files in /data/ota. 58allow dex2oat ota_data_file:dir ra_dir_perms; 59allow dex2oat ota_data_file:file r_file_perms; 60 61# Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images, 62# where the oat file is symlinked to the original file in /system. 63allow dex2oat ota_data_file:lnk_file { create read }; 64 65# It would be nice to tie this down, but currently, because of how images are written, we can't 66# pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to 67# create them itself (and make them world-readable). 68allow dex2oat ota_data_file:file { create w_file_perms setattr }; 69 70############### 71# APEX Update # 72############### 73 74# /dev/zero is inherited. 75allow dex2oat apexd:fd use; 76 77# Allow dex2oat to use file descriptors from preinstall. 78allow dex2oat art_apex_preinstall:fd use; 79 80############## 81# Neverallow # 82############## 83 84neverallow dex2oat { privapp_data_file app_data_file }:notdevfile_class_set open; 85