SELinux policy for on-device signing binary. Bug: 165630556 Test: no denials on boot Change-Id: I9d75659fb1eaea562c626ff54521f6dfb02da6b3

commit: 6afdb72cbb96dee8b8372274a49416a7fa0594ce [log] [tgz]
author: Martijn Coenen <maco@google.com> Fri Nov 27 12:23:54 2020 +0100
committer: Martijn Coenen <maco@google.com> Wed Feb 03 16:15:48 2021 +0100
tree: e2c2869d10db8498998b7028b7a5fc43876bcac6
parent: 6e3caf699e80ff281e1df52c4968be0deb81e901 [diff] [blame]
diff --git a/private/odrefresh.te b/private/odrefresh.te
index c1ccc38..097098b 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te

@@ -18,6 +18,10 @@
 # Run dexoptanalyzer in its own sandbox.
 domain_auto_trans(odrefresh, dexoptanalyzer_exec, dexoptanalyzer)
 
+# Use devpts and fd from odsign (which exec()'s odrefresh)
+allow odrefresh odsign_devpts:chr_file { read write };
+allow odrefresh odsign:fd use;
+
 # Do not audit unused resources from parent processes (adb, shell, su).
 # These appear to be unnecessary for odrefresh.
 dontaudit odrefresh { adbd shell }:fd use;
commit	6afdb72cbb96dee8b8372274a49416a7fa0594ce	[log] [tgz]
author	Martijn Coenen <maco@google.com>	Fri Nov 27 12:23:54 2020 +0100
committer	Martijn Coenen <maco@google.com>	Wed Feb 03 16:15:48 2021 +0100
tree	e2c2869d10db8498998b7028b7a5fc43876bcac6
parent	6e3caf699e80ff281e1df52c4968be0deb81e901 [diff] [blame]