1 # dex2oat 2 type dex2oat, domain, domain_deprecated; 3 type dex2oat_exec, exec_type, file_type; 4 5 allow dex2oat dalvikcache_data_file:file write; 6 # Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where 7 # the oat file is symlinked to the original file in /system. 8 allow dex2oat dalvikcache_data_file:lnk_file read; 9 allow dex2oat installd:fd use; 10 11 # Read already open asec_apk_file file descriptors passed by installd. 12 # Also allow reading unlabeled files, to allow for upgrading forward 13 # locked APKs. 14 allow dex2oat asec_apk_file:file read; 15 allow dex2oat unlabeled:file read; 16 allow dex2oat oemfs:file read; 17 allow dex2oat apk_tmp_file:file read; 18 allow dex2oat user_profile_data_file:file { getattr read lock }; 19 20 ################## 21 # A/B OTA Dexopt # 22 ################## 23 24 # Allow dex2oat to use file descriptors from otapreopt. 25 allow dex2oat postinstall_dexopt:fd use; 26 27 allow dex2oat postinstall_file:dir { getattr search }; 28 29 # Allow dex2oat access to files in /data/ota. 30 allow dex2oat ota_data_file:dir ra_dir_perms; 31 allow dex2oat ota_data_file:file r_file_perms; 32 33 # Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images, 34 # where the oat file is symlinked to the original file in /system. 35 allow dex2oat ota_data_file:lnk_file { create read }; 36 37 # It would be nice to tie this down, but currently, because of how images are written, we can't 38 # pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to 39 # create them itself (and make them world-readable). 40 allow dex2oat ota_data_file:file { create w_file_perms setattr }; 41 42 ############## 43 # Neverallow # 44 ############## 45 46 neverallow dex2oat app_data_file:notdevfile_class_set open; 47