commit 9b69f0de582fa0e8b3f68a92bae8c3b85aba4b68
author Treehugger Robot <treehugger-gerrit@google.com> Wed Jan 18 15:45:02 2023 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Jan 18 15:45:02 2023 +0000
tree 5ef8f5ca43e34ad173378f74bfb7c5a5ba1edd61
parent 2ff660e1349bb7db0bba6b37d877ee386e54a2fc
parent b5f16b23921c20d5a8aab4473cc2ab6e43b706d3

Merge "Allow mkfs/fsck for zoned block device"

private/coredomain.te

diff --git a/private/coredomain.te b/private/coredomain.te
index 55f715d..96ce488 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -93,6 +93,8 @@
         coredomain
         -appdomain
         -artd
+        -dex2oat
+        -dexoptanalyzer
         -idmap
         -init
         -installd
@@ -112,6 +114,8 @@
         coredomain
         -appdomain
         -artd
+        -dex2oat
+        -dexoptanalyzer
         -idmap
         -init
         -installd

private/dex2oat.te

diff --git a/private/dex2oat.te b/private/dex2oat.te
index 2ce2459..ea9ab9c 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -10,6 +10,8 @@
 # Access /vendor/framework
 allow dex2oat vendor_framework_file:dir { getattr search };
 allow dex2oat vendor_framework_file:file { getattr open read map };
+# Access /vendor/overlay
+r_dir_file(dex2oat, vendor_overlay_file);
 
 allow dex2oat tmpfs:file { read getattr map };
 
@@ -59,6 +61,9 @@
 # Allow dex2oat to use file descriptors passed from privileged programs.
 allow dex2oat { artd installd odrefresh odsign }:fd use;
 
+# Allow dex2oat to read the /proc filesystem for CPU features, etc.
+allow dex2oat proc_filesystems:file r_file_perms;
+
 ##################
 # A/B OTA Dexopt #
 ##################