Update SELinux policy for app compilation CUJ.
- Adapt installd rules for app compilation.
- Add profman rules for checking the profile before compilation. This is new behavior compared to installd.
Bug: 229268202
Test: -
1. adb shell pm art optimize-package -m speed-profile -f \
com.google.android.youtube
2. See no SELinux denial.
Change-Id: Idfe1ccdb1b27fd275fdf912bc8d005551f89d4fc
diff --git a/private/dex2oat.te b/private/dex2oat.te
index e7cdd5f..2ce2459 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -15,7 +15,6 @@
r_dir_file(dex2oat, dalvikcache_data_file)
allow dex2oat dalvikcache_data_file:file write;
-allow dex2oat installd:fd use;
# Acquire advisory lock on /system/framework/arm/*
allow dex2oat system_file:file lock;
@@ -38,12 +37,8 @@
# Allow dex2oat to find files and directories under /data/misc/apexdata/com.android.runtime.
allow dex2oat apex_module_data_file:dir search;
-# Allow dex2oat to use file descriptors passed from odrefresh.
-allow dex2oat odrefresh:fd use;
-
-# Allow dex2oat to use devpts and file descriptors passed from odsign
+# Allow dex2oat to use devpts passed from odsign.
allow dex2oat odsign_devpts:chr_file { read write };
-allow dex2oat odsign:fd use;
# Allow dex2oat to write to file descriptors from odrefresh for files
# in the staging area.
@@ -61,6 +56,9 @@
# Allow dex2oat to read /apex/apex-info-list.xml
allow dex2oat apex_info_file:file r_file_perms;
+# Allow dex2oat to use file descriptors passed from privileged programs.
+allow dex2oat { artd installd odrefresh odsign }:fd use;
+
##################
# A/B OTA Dexopt #
##################