Allow vendor_overlay_file from vendor apex Path to vendor overlays should be accessible to those processes with access to vendor_overlay_file. This is okay when overlays are under /vendor/overlay because vendor_file:dir is accessible from all domains. However, when a vendor overlay file is served from a vendor apex, then the mount point of the apex should be allowed explicitly for 'getattr' and 'search'. Bug: 285075529 Test: presubmit tests Change-Id: I393abc76ab7169b65fdee5aefd6da5ed1c6b8586

commit: 7c4f8a87d30b9e95f72bb4a9891c24b6ad276cb2 [log] [tgz]
author: Jooyung Han <jooyung@google.com> Fri Jun 09 13:26:54 2023 +0900
committer: Jooyung Han <jooyung@google.com> Fri Jun 09 13:43:11 2023 +0900
tree: 8f7e6c1d9db5cbdb1eef98dc4f64d6bfb2c8059e
parent: 9f254ba3685cacfc44e639537800f7b93cf36230 [diff] [blame]
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index 2fdc941..cdf403c 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te

@@ -47,6 +47,8 @@
 r_dir_file(postinstall_dexopt, vendor_app_file)
 # Read vendor overlay files (APKs) as input to dex2oat.
 r_dir_file(postinstall_dexopt, vendor_overlay_file)
+# Vendor overlay can be found in vendor apex
+allow postinstall_dexopt vendor_apex_metadata_file:dir { getattr search };
 # Access to app oat directory.
 r_dir_file(postinstall_dexopt, dalvikcache_data_file)
commit	7c4f8a87d30b9e95f72bb4a9891c24b6ad276cb2	[log] [tgz]
author	Jooyung Han <jooyung@google.com>	Fri Jun 09 13:26:54 2023 +0900
committer	Jooyung Han <jooyung@google.com>	Fri Jun 09 13:43:11 2023 +0900
tree	8f7e6c1d9db5cbdb1eef98dc4f64d6bfb2c8059e
parent	9f254ba3685cacfc44e639537800f7b93cf36230 [diff] [blame]