commit 2dd76a76f33db930592bb9180eb9a4432228ad6a
author Treehugger Robot <treehugger-gerrit@google.com> Tue Jun 22 11:20:06 2021 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Jun 22 11:20:06 2021 +0000
tree 360cf901381d8e6ee3f44cefdc49a98ed60fcb63
parent 635853a710b624fa99a257d371618741e4b96799
parent c951045f2e31795e89b95821d7067dec8babf316

Merge "Update automotive_display_service selinux policy"

prebuilts/api/30.0/private/gmscore_app.te

diff --git a/prebuilts/api/30.0/private/gmscore_app.te b/prebuilts/api/30.0/private/gmscore_app.te
index 2355326..b7c9235 100644
--- a/prebuilts/api/30.0/private/gmscore_app.te
+++ b/prebuilts/api/30.0/private/gmscore_app.te
@@ -75,6 +75,10 @@
 # TODO: Tighten (b/112357170)
 allow gmscore_app privapp_data_file:file execute;
 
+# Chrome Crashpad uses the the dynamic linker to load native executables
+# from an APK (b/112050209, crbug.com/928422)
+allow gmscore_app system_linker_exec:file execute_no_trans;
+
 allow gmscore_app privapp_data_file:lnk_file create_file_perms;
 
 # /proc access

prebuilts/api/30.0/private/priv_app.te

diff --git a/prebuilts/api/30.0/private/priv_app.te b/prebuilts/api/30.0/private/priv_app.te
index 44c81ee..c5f7013 100644
--- a/prebuilts/api/30.0/private/priv_app.te
+++ b/prebuilts/api/30.0/private/priv_app.te
@@ -25,6 +25,10 @@
 # TODO: Tighten (b/112357170)
 allow priv_app privapp_data_file:file execute;
 
+# Chrome Crashpad uses the the dynamic linker to load native executables
+# from an APK (b/112050209, crbug.com/928422)
+allow priv_app system_linker_exec:file execute_no_trans;
+
 allow priv_app privapp_data_file:lnk_file create_file_perms;
 
 # Priv apps can find services that expose both @SystemAPI and normal APIs.

private/dexoptanalyzer.te

diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index d194acb..b99349e 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -51,3 +51,6 @@
 # Allow query ART device config properties
 get_prop(dexoptanalyzer, device_config_runtime_native_prop)
 get_prop(dexoptanalyzer, device_config_runtime_native_boot_prop)
+
+# Allow dexoptanalyzer to read /apex/apex-info-list.xml
+allow dex2oat apex_info_file:file r_file_perms;

public/app.te

diff --git a/public/app.te b/public/app.te
index e4b293f..5527f99 100644
--- a/public/app.te
+++ b/public/app.te
@@ -16,6 +16,9 @@
 # Receive and use open file descriptors inherited from zygote.
 allow appdomain zygote:fd use;
 
+# Receive and use open file descriptors inherited from app zygote.
+allow appdomain app_zygote:fd use;
+
 # gdbserver for ndk-gdb reads the zygote.
 # valgrind needs mmap exec for zygote
 allow appdomain zygote_exec:file rx_file_perms;