Allow odrefresh to use FD inherited from compsvc If FD use is not allowed, execve(2) returns EACCESS and the process is killed by SIGSEGV. Minijail closes any FDs by default and open /dev/null for FD 0-2. For now, odrefresh doesn't use any FD. But until we could tell minijail to not create FD 0-2 (which could be arguable), allow the permission. Bug: 210909688 Test: composd_cmd async-odrefresh # exit 80 in enforced mode Change-Id: I8643d8bfc8da03439a04491fba5ba6de663760eb

commit: a341025f8712bf7e26ff0126b84b7f2f1bbe130d [log] [tgz]
author: Victor Hsieh <victorhsieh@google.com> Wed Dec 15 16:48:07 2021 -0800
committer: Victor Hsieh <victorhsieh@google.com> Wed Dec 15 16:54:28 2021 -0800
tree: dc1ea4ad56823e82cc53cb0839bb72ceac923c5f
parent: ac45ef86f5ffbf39687324cb0a50afb32170c3c0 [diff]
diff --git a/microdroid/system/private/odrefresh.te b/microdroid/system/private/odrefresh.te
index c281896..d8b4392 100644
--- a/microdroid/system/private/odrefresh.te
+++ b/microdroid/system/private/odrefresh.te

@@ -25,5 +25,8 @@
 # supported on Android.
 allow odrefresh compos:fifo_file read;
 
-# Do not audit unused resources from parent processes.
-dontaudit odrefresh compos:fd use;
+# Allow using FDs from the parent. It's possible that this could be avoided,
+# if we close fd 0-2 before execute. But minijial replaces them with /dev/null
+# (unless specified otherwise). Without allowing the use, the execution will
+# fail immediately. See b/210909688.
+allow odrefresh compos:fd use;
commit	a341025f8712bf7e26ff0126b84b7f2f1bbe130d	[log] [tgz]
author	Victor Hsieh <victorhsieh@google.com>	Wed Dec 15 16:48:07 2021 -0800
committer	Victor Hsieh <victorhsieh@google.com>	Wed Dec 15 16:54:28 2021 -0800
tree	dc1ea4ad56823e82cc53cb0839bb72ceac923c5f
parent	ac45ef86f5ffbf39687324cb0a50afb32170c3c0 [diff]