Something went wrong on our end
-
Calin Juravle authoredWhen opening the dex files we sometime need to check for the real location of the file (even if it was open via an fd). Denial example: avc: denied { getattr } for comm="profman" path="/data/app" dev="sda13" ino=1048577 scontext=u:r:profman:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=0 Test: verify we get no denials when taking a profile snapshot. Bug: 77922323 Change-Id: Ifa5570656c644819d14f46af74e4c15e903a8a54Calin Juravle authoredWhen opening the dex files we sometime need to check for the real location of the file (even if it was open via an fd). Denial example: avc: denied { getattr } for comm="profman" path="/data/app" dev="sda13" ino=1048577 scontext=u:r:profman:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=0 Test: verify we get no denials when taking a profile snapshot. Bug: 77922323 Change-Id: Ifa5570656c644819d14f46af74e4c15e903a8a54
profman.te 962 B
# profman
type profman, domain;
type profman_exec, exec_type, file_type;
allow profman user_profile_data_file:file { getattr read write lock };
# Dumping profile info opens the application APK file for pretty printing.
allow profman asec_apk_file:file { read };
allow profman apk_data_file:file { getattr read };
allow profman apk_data_file:dir { getattr read search };
allow profman oemfs:file { read };
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
allow profman tmpfs:file { read };
allow profman profman_dump_data_file:file { write };
allow profman installd:fd use;
# Allow profman to analyze profiles for the secondary dex files. These
# are application dex files reported back to the framework when using
# BaseDexClassLoader.
allow profman app_data_file:file { getattr read write lock };
allow profman app_data_file:dir { getattr read search };
###
### neverallow rules
###
neverallow profman app_data_file:notdevfile_class_set open;