commit 46c2aad205d69c19a8ed4f4406bbf89de2002a90
author Orion Hodson <oth@google.com> Mon Mar 01 15:03:26 2021 +0000
committer Orion Hodson <oth@google.com> Mon Mar 01 15:33:31 2021 +0000
tree e32e71bd89d25b2d688c29a59a90793676b30fa5
parent 28befc841cff1dcbfe0f2a7f60b7f25891c8c220

odrefresh.te: use create_rw_perms for apex_art_data_file:file

odrefresh should setattr on generated artifacts. This is apparent now
that it is now launched from init which sets a restrictive umask on
forked processes.

Bug: 181397437
Test: manually apply ART APEX update
Change-Id: I8e30c1ef1e42b3b68b3c07e860abb4dc2728e275

private/odrefresh.te

diff --git a/private/odrefresh.te b/private/odrefresh.te
index 097098b..9c615fa 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -5,7 +5,7 @@
 # Allow odrefresh to create files and directories for on device signing.
 allow odrefresh apex_module_data_file:dir { getattr search };
 allow odrefresh apex_art_data_file:dir { create_dir_perms relabelfrom };
-allow odrefresh apex_art_data_file:file { open create write read getattr unlink };
+allow odrefresh apex_art_data_file:file create_file_perms;
 
 # Staging area labels (/data/misc/apexdata/com.android.art/staging). odrefresh
 # sets up files here and passes file descriptors for dex2oat to write to.