Define sepolicy for compos and dex2oat Bug: 194474784 Test: ComposTestCase # with debug disabled Change-Id: I2a53df337356fc8e299837358da2a5a88c9c20d3

commit: aa987aaa2d4527628afc30433238e9bd513b4bc3 [log] [tgz]
author: Victor Hsieh <victorhsieh@google.com> Tue Aug 10 16:33:32 2021 -0700
committer: Victor Hsieh <victorhsieh@google.com> Wed Aug 11 10:42:19 2021 -0700
tree: 68cfff800534e275df7c09606c3f3bd97df9dfa4
parent: a70e6052c2a29df51b4d732eb181f2187c3fafd2 [diff] [blame]
diff --git a/microdroid/system/private/dex2oat.te b/microdroid/system/private/dex2oat.te
index 6bfd05e..cde824b 100644
--- a/microdroid/system/private/dex2oat.te
+++ b/microdroid/system/private/dex2oat.te

@@ -3,3 +3,22 @@
 type dex2oat_exec, system_file_type, exec_type, file_type;
 
 allow dex2oat tmpfs:file { read getattr map };
+
+# Allow dex2oat to use FDs from authfs_service via compos.
+allow dex2oat authfs_service:fd use;
+allow dex2oat compos:fd use;
+
+# Allow dex2oat to read/write FDs on authfs_fuse filesystem.
+allow dex2oat authfs_fuse:file rw_file_perms;
+
+# Minijail uses pipe for the parent process to signal the child (as a fallback
+# mechanism, since Android does not support minijail's preload).
+# TODO(196109647): We can probably remove this once the minijail preload is
+# supported on Android.
+allow dex2oat compos:fifo_file read;
+
+# Allow acquiring advisory lock on /system/framework/<arch>/*
+allow dex2oat system_file:file lock;
+
+# Allow dex2oat to read /apex/apex-info-list.xml
+allow dex2oat apex_info_file:file r_file_perms;
commit	aa987aaa2d4527628afc30433238e9bd513b4bc3	[log] [tgz]
author	Victor Hsieh <victorhsieh@google.com>	Tue Aug 10 16:33:32 2021 -0700
committer	Victor Hsieh <victorhsieh@google.com>	Wed Aug 11 10:42:19 2021 -0700
tree	68cfff800534e275df7c09606c3f3bd97df9dfa4
parent	a70e6052c2a29df51b4d732eb181f2187c3fafd2 [diff] [blame]