Update SELinux policy to allow artd to perform secondary dex compilation Secondary dex files are in app data directories. In order to perform secondary dex compilation, artd needs permissions to: - Read secondary dex files - Create "oat" dir - Create a reference profile in "oat" dir - Rename the reference profile - Delete the reference profile - Read the current profile in "oat" dir - Delete the current profile - Create compilation artifacts in "oat" dir - Rename compilation artifacts - Delete compilation artifacts Bug: 249984283 Test: - 1. adb shell pm art optimize-package --secondary-dex -m speed-profile -f com.google.android.gms 2. See no SELinux denial. Change-Id: I19a0ea7895a54c67959b22085de27d1d0ccc1efc

commit: 2ffeca72a639d3a8c7adf80dd7f7abd26546ab47 [log] [tgz]
author: Jiakai Zhang <jiakaiz@google.com> Fri Oct 21 17:03:56 2022 +0100
committer: Jiakai Zhang <jiakaiz@google.com> Mon Oct 24 16:07:01 2022 +0100
tree: 06bc986c56d01cacbaf497ca578bc156fb71f4f6
parent: 4a5c2dee685c23f6df950e0f91705e4c17a38525 [diff] [blame]
diff --git a/private/mlstrustedsubject.te b/private/mlstrustedsubject.te
index 0aed4d3..67bd113 100644
--- a/private/mlstrustedsubject.te
+++ b/private/mlstrustedsubject.te

@@ -6,16 +6,19 @@
 
 neverallow {
   mlstrustedsubject
+  -artd # compile secondary dex files
   -installd
 } { app_data_file privapp_data_file }:file ~{ read write map getattr ioctl lock append };
 
 neverallow {
   mlstrustedsubject
+  -artd # compile secondary dex files
   -installd
 } { app_data_file privapp_data_file }:dir ~{ read getattr search };
 
 neverallow {
   mlstrustedsubject
+  -artd # compile secondary dex files
   -installd
   -system_server
   -adbd
commit	2ffeca72a639d3a8c7adf80dd7f7abd26546ab47	[log] [tgz]
author	Jiakai Zhang <jiakaiz@google.com>	Fri Oct 21 17:03:56 2022 +0100
committer	Jiakai Zhang <jiakaiz@google.com>	Mon Oct 24 16:07:01 2022 +0100
tree	06bc986c56d01cacbaf497ca578bc156fb71f4f6
parent	4a5c2dee685c23f6df950e0f91705e4c17a38525 [diff] [blame]