Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 64711e9de557fd77483f40e147bba2cb44915d0a^2..64711e9de557fd77483f40e147bba2cb44915d0a / .
commit64711e9de557fd77483f40e147bba2cb44915d0a[log] [tgz]
authorAkilesh Kailash <akailash@google.com>Mon Dec 12 16:39:00 2022 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Mon Dec 12 16:39:00 2022 +0000
tree9131c4413d30cb66c13358cff4e33832cdbd168c
parent7269c1bfe96797bad42f2d5ebdfe87812a26aea8 [diff]
parent5fa04f20f59ab06f3a44e8b13d199ad701b5d5f5 [diff]
Merge "Virtual_ab: Add property to control batch writes"
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 9222bdb..c2a3f4c 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts

@@ -85,7 +85,6 @@
 ro.boot.first_stage_console        u:object_r:bootloader_prop:s0 exact string
 ro.boot.force_normal_boot          u:object_r:bootloader_prop:s0 exact string
 ro.boot.hardware                   u:object_r:bootloader_prop:s0 exact string
-ro.boot.microdroid.app_debuggable  u:object_r:bootloader_prop:s0 exact bool
 ro.boot.microdroid.debuggable      u:object_r:bootloader_prop:s0 exact bool
 ro.boot.slot_suffix                u:object_r:bootloader_prop:s0 exact string
 ro.boot.tombstone_transmit.enabled u:object_r:bootloader_prop:s0 exact bool

diff --git a/private/artd.te b/private/artd.te
index 63045af..96b2990 100644
--- a/private/artd.te
+++ b/private/artd.te

@@ -29,12 +29,21 @@
 # Allow testing userfaultfd support.
 userfaultfd_use(artd)
 
-# Read access to primary dex'es on writable partitions (e.g., /data/app/...).
+# Read access to primary dex'es on writable partitions
+# ({/data,/mnt/expand/<volume-uuid>}/app/...).
+allow artd mnt_expand_file:dir { getattr search };
 r_dir_file(artd, apk_data_file)
 
-# Read access to /vendor/app.
+# Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
 r_dir_file(artd, vendor_app_file)
 
+# Read access to vendor overlay APKs ({/vendor,/odm,/oem}/overlay/...).
+allow artd oemfs:dir { getattr search };
+r_dir_file(artd, vendor_overlay_file)
+
+# Read access to vendor shared libraries ({/vendor,/odm}/framework/...).
+r_dir_file(artd, vendor_framework_file)
+
 # Read/write access to all compilation artifacts generated on device for apps'
 # primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
 allow artd dalvikcache_data_file:dir create_dir_perms;

diff --git a/private/coredomain.te b/private/coredomain.te
index c041ca3..55f715d 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te

@@ -92,6 +92,7 @@
     neverallow {
         coredomain
         -appdomain
+        -artd
         -idmap
         -init
         -installd
@@ -110,6 +111,7 @@
     neverallow {
         coredomain
         -appdomain
+        -artd
         -idmap
         -init
         -installd