Allow system_server to kill artd and its subprocesses. This is to make sure that no process is accessing files in chroot when we teardown chroot. Bug: 311377497 Test: Set a very short timeout for `ensureNoProcessInDir` and run Pre-reboot Dexopt. Change-Id: I5c60497c73a9d56068e47840ffd4a0f0a550c250

commit: 03f98668730b8bca96bbf7c2e219680843acbfab [log] [tgz]
author: Jiakai Zhang <jiakaiz@google.com> Fri May 31 19:06:12 2024 +0100
committer: Jiakai Zhang <jiakaiz@google.com> Fri May 31 19:06:12 2024 +0100
tree: d0154ab99389e5ab8ffaa09055087fc61017d86d
parent: ca2f3851afaee866d37caae16598b3d5c20844d4 [diff] [blame]
diff --git a/private/system_server.te b/private/system_server.te
index 406c146..e7ae9fc 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -1656,6 +1656,16 @@
 # otapreopt_script is still alive.
 allow system_server postinstall:fifo_file read;
 
+# Allow system_server to kill artd and its subprocesses, to make sure that no process is accessing
+# files in chroot when we teardown chroot.
+allow system_server {
+  artd
+  derive_classpath
+  dex2oat
+  odrefresh
+  profman
+}:process sigkill;
+
 # Do not allow any domain other than init or system server to get or set the property
 neverallow { domain -init -system_server } crashrecovery_prop:property_service set;
 neverallow { domain -init -dumpstate -system_server } crashrecovery_prop:file no_rw_file_perms;
commit	03f98668730b8bca96bbf7c2e219680843acbfab	[log] [tgz]
author	Jiakai Zhang <jiakaiz@google.com>	Fri May 31 19:06:12 2024 +0100
committer	Jiakai Zhang <jiakaiz@google.com>	Fri May 31 19:06:12 2024 +0100
tree	d0154ab99389e5ab8ffaa09055087fc61017d86d
parent	ca2f3851afaee866d37caae16598b3d5c20844d4 [diff] [blame]