Update SELinux policy for Pre-reboot Dexopt.
- Add pm.dexopt.* properties.
- Add rules for running artd in chroot.
Bug: 311377497
Test: manual - Run Pre-reboot Dexopt and see no denial.
Change-Id: If5ff9b23e99be033f19ab257c90e0f52bf250ccf
diff --git a/private/file.te b/private/file.te
index 50ea4c3..b5b22a2 100644
--- a/private/file.te
+++ b/private/file.te
@@ -132,11 +132,6 @@
# /apex/com.android.compos/bin/compos_key_helper
type compos_key_helper_exec, exec_type, file_type, system_file_type;
-# /apex/com.android.art/bin/art_exec
-# This executable does not have its own domain because it is executed in the caller's domain. For
-# example, it is executed in the `artd` domain when artd calls it.
-type art_exec_exec, system_file_type, exec_type, file_type;
-
# Filesystem entry for for PRNG seeder socket. Processes require
# write permission on this to connect, and needs to be mlstrustedobject
# in to satisfy MLS constraints for trusted domains.
@@ -163,3 +158,10 @@
# /data/misc/connectivityblobdb
type connectivityblob_data_file, file_type, data_file_type, core_data_file_type;
+
+# Type for /mnt/pre_reboot_dexopt
+type pre_reboot_dexopt_file, file_type;
+
+# Type for /mnt/artd_tmp in the Pre-reboot Dexopt chroot
+# This type is set on the directory through the `rootcontext=` mount option.
+type pre_reboot_dexopt_artd_file, file_type;