Add policy for CompOS APEX data files.
Grant access to odsign to read & delete pending key files. Eventually
we will grant the CompOS daemon write access.
Bug: 190166662
Test: Via odsign; no denials seen.
Change-Id: I6d3c3e5b2aec8ef65bd28cbb274d18263534ce66
diff --git a/private/file.te b/private/file.te
index 29ab8a9..124309c 100644
--- a/private/file.te
+++ b/private/file.te
@@ -48,6 +48,9 @@
# /data/misc/apexdata/com.android.art/staging
type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/apexdata/com.android.compos
+type apex_compos_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+
# /data/font/files
type font_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 8e341de..779a37a 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -568,6 +568,7 @@
/data/misc/a11ytrace(/.*)? u:object_r:accessibility_trace_data_file:s0
/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0
/data/misc/apexdata/com\.android\.art(/.*)? u:object_r:apex_art_data_file:s0
+/data/misc/apexdata/com\.android\.compos(/.*)? u:object_r:apex_compos_data_file:s0
/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexdata/com\.android\.scheduling(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_system_server_data_file:s0
diff --git a/private/odsign.te b/private/odsign.te
index 57ca048..10adcd5 100644
--- a/private/odsign.te
+++ b/private/odsign.te
@@ -44,6 +44,10 @@
allow odsign apex_art_data_file:dir { rw_dir_perms rmdir rename };
allow odsign apex_art_data_file:file { rw_file_perms unlink };
+# For CompOS pending key files
+allow odsign apex_compos_data_file:dir { getattr search write remove_name };
+allow odsign apex_compos_data_file:file { r_file_perms unlink };
+
# Run odrefresh to refresh ART artifacts
domain_auto_trans(odsign, odrefresh_exec, odrefresh)