Allow VS to run derive_classpath We run it in our domain since it requires fairly minimal access. Bug: 210472252 Test: atest virtualizationservice_device_test Test: composd_cmd test-compile Change-Id: Ia770cd38bda67f79f56549331d3a36d7979a5d5b

commit: 3fad86bb8a055f06123fce561531f64c6429572c [log] [tgz]
author: Alan Stokes <alanstokes@google.com> Tue Jan 04 17:34:53 2022 +0000
committer: Alan Stokes <alanstokes@google.com> Thu Jan 06 15:58:59 2022 +0000
tree: 58043debafffc52437e3eae17402ce57fed1a0b7
parent: 3b0f637ad0ee38a65d046ea68e92bb9dac0356f2 [diff]
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 1418642..d304ae6 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te

@@ -52,6 +52,10 @@
 allow virtualizationservice staging_data_file:file r_file_perms;
 allow virtualizationservice staging_data_file:dir search;
 
+# Run derive_classpath in our domain
+allow virtualizationservice derive_classpath_exec:file rx_file_perms;
+allow virtualizationservice apex_mnt_dir:dir r_dir_perms;
+
 # Let virtualizationservice to accept vsock connection from the guest VMs
 allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
 
@@ -61,6 +65,7 @@
 
 # Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
 set_prop(virtualizationservice, virtualizationservice_prop)
+
 neverallow {
   domain
   -init
commit	3fad86bb8a055f06123fce561531f64c6429572c	[log] [tgz]
author	Alan Stokes <alanstokes@google.com>	Tue Jan 04 17:34:53 2022 +0000
committer	Alan Stokes <alanstokes@google.com>	Thu Jan 06 15:58:59 2022 +0000
tree	58043debafffc52437e3eae17402ce57fed1a0b7
parent	3b0f637ad0ee38a65d046ea68e92bb9dac0356f2 [diff]