Allow artd to access primary dex'es in external and vendor partitions.
Otherwise, we will get SELinux denials like:
W binder:6098_5: type=1400 audit(0.0:138): avc: denied { search } for name="framework" dev="dm-6" ino=478 scontext=u:r:artd:s0 tcontext=u:object_r:vendor_framework_file:s0 tclass=dir permissive=0
Bug: 262230400
Test: No longer see such SELinux denials.
Change-Id: Ic31fdabb16341c51466531c88ca040698331b248
diff --git a/private/artd.te b/private/artd.te
index 63045af..96b2990 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -29,12 +29,21 @@
# Allow testing userfaultfd support.
userfaultfd_use(artd)
-# Read access to primary dex'es on writable partitions (e.g., /data/app/...).
+# Read access to primary dex'es on writable partitions
+# ({/data,/mnt/expand/<volume-uuid>}/app/...).
+allow artd mnt_expand_file:dir { getattr search };
r_dir_file(artd, apk_data_file)
-# Read access to /vendor/app.
+# Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
r_dir_file(artd, vendor_app_file)
+# Read access to vendor overlay APKs ({/vendor,/odm,/oem}/overlay/...).
+allow artd oemfs:dir { getattr search };
+r_dir_file(artd, vendor_overlay_file)
+
+# Read access to vendor shared libraries ({/vendor,/odm}/framework/...).
+r_dir_file(artd, vendor_framework_file)
+
# Read/write access to all compilation artifacts generated on device for apps'
# primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
allow artd dalvikcache_data_file:dir create_dir_perms;