Update sepolicy for service dexopt_chroot_setup and artd_pre_reboot.
Bug: 311377497
Test: manual - Call
getDexoptChrootSetupServiceRegisterer().waitForService()
Test: manual - Set up a chroot environment and call
getArtdPreRebootServiceRegisterer().waitForService()
Change-Id: I50b5f7f858dab37f05174cb9787f64303d50d083
diff --git a/private/artd.te b/private/artd.te
index acab397..f8e79fb 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -7,6 +7,7 @@
# Allow artd to publish a binder service and make binder calls.
binder_use(artd)
add_service(artd, artd_service)
+add_service(artd, artd_pre_reboot_service)
allow artd dumpstate:fifo_file { getattr write };
allow artd dumpstate:fd use;
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index e19da6c..3dbb9fd 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -6,7 +6,9 @@
(typeattributeset new_objects
( new_objects
archive_service
+ artd_pre_reboot_service
contextual_search_service
+ dexopt_chroot_setup_service
dtbo_block_device
ota_build_prop
snapuserd_log_data_file
diff --git a/private/dexopt_chroot_setup.te b/private/dexopt_chroot_setup.te
new file mode 100644
index 0000000..f7bd17a
--- /dev/null
+++ b/private/dexopt_chroot_setup.te
@@ -0,0 +1,23 @@
+type dexopt_chroot_setup, domain, coredomain;
+type dexopt_chroot_setup_exec, system_file_type, exec_type, file_type;
+type dexopt_chroot_setup_tmpfs, file_type;
+
+# Allow dexopt_chroot_setup to publish a binder service and make binder calls.
+binder_use(dexopt_chroot_setup)
+add_service(dexopt_chroot_setup, dexopt_chroot_setup_service)
+allow dexopt_chroot_setup dumpstate:fifo_file { getattr write };
+allow dexopt_chroot_setup dumpstate:fd use;
+
+init_daemon_domain(dexopt_chroot_setup)
+
+# Use tmpfs_domain() which will give tmpfs files created by dexopt_chroot_setup their
+# own label, which differs from other labels created by other processes.
+# This allows to distinguish in policy files created by dexopt_chroot_setup vs other
+# processes.
+tmpfs_domain(dexopt_chroot_setup)
+
+# libart (mark_compact.cc) has some intialization code that touches the cache
+# info file and userfaultfd.
+allow dexopt_chroot_setup apex_module_data_file:dir { getattr search };
+r_dir_file(dexopt_chroot_setup, apex_art_data_file)
+userfaultfd_use(dexopt_chroot_setup)
diff --git a/private/service_contexts b/private/service_contexts
index 5099097..f981f25 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -179,6 +179,7 @@
appops u:object_r:appops_service:s0
appwidget u:object_r:appwidget_service:s0
artd u:object_r:artd_service:s0
+artd_pre_reboot u:object_r:artd_pre_reboot_service:s0
assetatlas u:object_r:assetatlas_service:s0
attention u:object_r:attention_service:s0
audio u:object_r:audio_service:s0
@@ -230,6 +231,7 @@
device_lock u:object_r:devicelock_service:s0
device_state u:object_r:device_state_service:s0
devicestoragemonitor u:object_r:devicestoragemonitor_service:s0
+dexopt_chroot_setup u:object_r:dexopt_chroot_setup_service:s0
diskstats u:object_r:diskstats_service:s0
display u:object_r:display_service:s0
dnsresolver u:object_r:dnsresolver_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 9ea2e9f..7836695 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -283,6 +283,7 @@
binder_call(system_server, artd)
binder_call(system_server, binderservicedomain)
binder_call(system_server, composd)
+binder_call(system_server, dexopt_chroot_setup)
binder_call(system_server, dumpstate)
binder_call(system_server, fingerprintd)
binder_call(system_server, gatekeeperd)
@@ -940,12 +941,14 @@
add_service(system_server, system_server_service);
allow system_server artd_service:service_manager find;
+allow system_server artd_pre_reboot_service:service_manager find;
allow system_server audioserver_service:service_manager find;
allow system_server authorization_service:service_manager find;
allow system_server batteryproperties_service:service_manager find;
allow system_server cameraserver_service:service_manager find;
allow system_server compos_service:service_manager find;
allow system_server dataloader_manager_service:service_manager find;
+allow system_server dexopt_chroot_setup_service:service_manager find;
allow system_server dnsresolver_service:service_manager find;
allow system_server drmserver_service:service_manager find;
allow system_server dumpstate_service:service_manager find;