1# dexoptanalyzer 2type dexoptanalyzer, domain, coredomain, mlstrustedsubject; 3type dexoptanalyzer_exec, system_file_type, exec_type, file_type; 4type dexoptanalyzer_tmpfs, file_type; 5 6# Reading an APK opens a ZipArchive, which unpack to tmpfs. 7# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their 8# own label, which differs from other labels created by other processes. 9# This allows to distinguish in policy files created by dexoptanalyzer vs other 10#processes. 11tmpfs_domain(dexoptanalyzer) 12 13# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot 14# app_data_file the oat file is symlinked to the original file in /system. 15allow dexoptanalyzer dalvikcache_data_file:dir { getattr search }; 16allow dexoptanalyzer dalvikcache_data_file:file r_file_perms; 17allow dexoptanalyzer dalvikcache_data_file:lnk_file read; 18 19allow dexoptanalyzer installd:fd use; 20allow dexoptanalyzer installd:fifo_file { getattr write }; 21 22# Acquire advisory lock on /system/framework/arm/* 23allow dexoptanalyzer system_file:file lock; 24 25# Allow reading secondary dex files that were reported by the app to the 26# package manager. 27allow dexoptanalyzer { privapp_data_file app_data_file }:dir { getattr search }; 28allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map }; 29# dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the 30# "dontaudit...audit_access" policy line to suppress the audit access without 31# suppressing denial on actual access. 32dontaudit dexoptanalyzer { privapp_data_file app_data_file }:dir audit_access; 33 34# Allow testing /data/user/0 which symlinks to /data/data 35allow dexoptanalyzer system_data_file:lnk_file { getattr }; 36