Fix sepolicy for secondary dex files

Calin Juravle · Calin Juravle · commit 0bee12090002 · 2020-07-22T14:10:06.000-07:00
dexoptanalyzer need read access on the secondary
dex files and of the main apk files in order to successfully evaluate
and optimize them.

Example of denial:
audit(0.0:30): avc: denied { read } for
path="/data/app/~~Zux_isdY0NBkRWPp01oAVg==/com.example.secondaryrepro-wH9zezMSCzIjcKdIMtrw7A==/base.apk"
dev="vdc" ino=40966 scontext=u:r:dexoptanalyzer:s0
tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0
app=com.example.secondaryrepro

Test: adb shell cmd package compile -r bg-dexopt --secondary-dex app
Bug: 160471235
Bug: 160351055
Merged-In: Id0bda5237d3ce1620d4f6ee89595836b4e1f3abf
Change-Id: Id0bda5237d3ce1620d4f6ee89595836b4e1f3abf
diff --git a/prebuilts/api/30.0/private/coredomain.te b/prebuilts/api/30.0/private/coredomain.te
@@ -22,6 +22,7 @@ full_treble_only(`
         coredomain
         -appdomain
         -dex2oat
+        -dexoptanalyzer
         -idmap
         -init
         -installd
@@ -38,6 +39,7 @@ full_treble_only(`
         coredomain
         -appdomain
         -dex2oat
+        -dexoptanalyzer
         -idmap
         -init
         -installd
diff --git a/prebuilts/api/30.0/private/dexoptanalyzer.te b/prebuilts/api/30.0/private/dexoptanalyzer.te
@@ -3,6 +3,10 @@ type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
 type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
 type dexoptanalyzer_tmpfs, file_type;
 
+r_dir_file(dexoptanalyzer, apk_data_file)
+# Access to /vendor/app
+r_dir_file(dexoptanalyzer, vendor_app_file)
+
 # Reading an APK opens a ZipArchive, which unpack to tmpfs.
 # Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
 # own label, which differs from other labels created by other processes.
diff --git a/private/coredomain.te b/private/coredomain.te
@@ -22,6 +22,7 @@ full_treble_only(`
         coredomain
         -appdomain
         -dex2oat
+        -dexoptanalyzer
         -idmap
         -init
         -installd
@@ -38,6 +39,7 @@ full_treble_only(`
         coredomain
         -appdomain
         -dex2oat
+        -dexoptanalyzer
         -idmap
         -init
         -installd
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
@@ -3,6 +3,10 @@ type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
 type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
 type dexoptanalyzer_tmpfs, file_type;
 
+r_dir_file(dexoptanalyzer, apk_data_file)
+# Access to /vendor/app
+r_dir_file(dexoptanalyzer, vendor_app_file)
+
 # Reading an APK opens a ZipArchive, which unpack to tmpfs.
 # Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
 # own label, which differs from other labels created by other processes.
