1 # dexoptanalyzer 2 type dexoptanalyzer, domain, coredomain, mlstrustedsubject; 3 type dexoptanalyzer_exec, exec_type, file_type; 4 5 # Reading an APK opens a ZipArchive, which unpack to tmpfs. 6 # Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their 7 # own label, which differs from other labels created by other processes. 8 # This allows to distinguish in policy files created by dexoptanalyzer vs other 9 #processes. 10 tmpfs_domain(dexoptanalyzer) 11 12 # Read symlinks in /data/dalvik-cache. This is required for PIC mode boot 13 # app_data_file the oat file is symlinked to the original file in /system. 14 allow dexoptanalyzer dalvikcache_data_file:dir { getattr search }; 15 allow dexoptanalyzer dalvikcache_data_file:file r_file_perms; 16 allow dexoptanalyzer dalvikcache_data_file:lnk_file read; 17 18 allow dexoptanalyzer installd:fd use; 19 20 # Allow reading secondary dex files that were reported by the app to the 21 # package manager. 22 allow dexoptanalyzer app_data_file:dir { getattr search }; 23 allow dexoptanalyzer app_data_file:file r_file_perms; 24 # dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the 25 # "dontaudit...audit_access" policy line to suppress the audit access without 26 # suppressing denial on actual access. 27 dontaudit dexoptanalyzer app_data_file:dir audit_access; 28 29 # Allow testing /data/user/0 which symlinks to /data/data 30 allow dexoptanalyzer system_data_file:lnk_file { getattr }; 31
