Allow system_server to reopen its own memfd. Bug: 311377497 Test: Run Pre-reboot Dexopt. Change-Id: Ic6e273732a042f0906fad7ffa73a3e45af2adde5

commit: 7a257541e9399ff27bf31f32e0b6ea53d6f5c05f [log] [tgz]
author: Jiakai Zhang <jiakaiz@google.com> Wed May 22 17:09:06 2024 +0100
committer: Jiakai Zhang <jiakaiz@google.com> Wed May 22 17:09:06 2024 +0100
tree: 6647aea0913622b3bdfa78b94ee8516c54345930
parent: 2f5774f756a42a7d99b9efbb82a570ff687379b7 [diff]
diff --git a/private/system_server.te b/private/system_server.te
index d05798d..2942b93 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -1642,6 +1642,11 @@
 # in Pre-reboot Dexopt.
 allow system_server pre_reboot_dexopt_file:dir { getattr search };
 
+# Allow system_server to reopen its own memfd.
+# system_server needs to copy the new service-art.jar to a memfd and reopen it with the path
+# /proc/self/fd/<fd> with a classloader.
+allow system_server system_server_tmpfs:file open;
+
 # Do not allow any domain other than init or system server to get or set the property
 neverallow { domain -init -system_server } crashrecovery_prop:property_service set;
 neverallow { domain -init -dumpstate -system_server } crashrecovery_prop:file no_rw_file_perms;
commit	7a257541e9399ff27bf31f32e0b6ea53d6f5c05f	[log] [tgz]
author	Jiakai Zhang <jiakaiz@google.com>	Wed May 22 17:09:06 2024 +0100
committer	Jiakai Zhang <jiakaiz@google.com>	Wed May 22 17:09:06 2024 +0100
tree	6647aea0913622b3bdfa78b94ee8516c54345930
parent	2f5774f756a42a7d99b9efbb82a570ff687379b7 [diff]