Home | History | Annotate | Download | only in sepolicy
      1 # dex2oat
      2 type dex2oat, domain, domain_deprecated;
      3 type dex2oat_exec, exec_type, file_type;
      4 
      5 allow dex2oat dalvikcache_data_file:file write;
      6 # Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where
      7 # the oat file is symlinked to the original file in /system.
      8 allow dex2oat dalvikcache_data_file:lnk_file read;
      9 allow dex2oat installd:fd use;
     10 
     11 # Read already open asec_apk_file file descriptors passed by installd.
     12 # Also allow reading unlabeled files, to allow for upgrading forward
     13 # locked APKs.
     14 allow dex2oat asec_apk_file:file read;
     15 allow dex2oat unlabeled:file read;
     16 allow dex2oat oemfs:file read;
     17 allow dex2oat apk_tmp_file:file read;
     18 allow dex2oat user_profile_data_file:file { getattr read lock };
     19 
     20 ##################
     21 # A/B OTA Dexopt #
     22 ##################
     23 
     24 # Allow dex2oat to use file descriptors from otapreopt.
     25 allow dex2oat postinstall_dexopt:fd use;
     26 
     27 allow dex2oat postinstall_file:dir { getattr search };
     28 
     29 # Allow dex2oat access to files in /data/ota.
     30 allow dex2oat ota_data_file:dir ra_dir_perms;
     31 allow dex2oat ota_data_file:file r_file_perms;
     32 
     33 # Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images,
     34 # where the oat file is symlinked to the original file in /system.
     35 allow dex2oat ota_data_file:lnk_file { create read };
     36 
     37 # It would be nice to tie this down, but currently, because of how images are written, we can't
     38 # pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to
     39 # create them itself (and make them world-readable).
     40 allow dex2oat ota_data_file:file { create w_file_perms setattr };
     41 
     42 ##############
     43 # Neverallow #
     44 ##############
     45 
     46 neverallow dex2oat app_data_file:notdevfile_class_set open;
     47