commit d3132824336f363e174b3f0d3e7b3d8aca4f154e
author Alan Stokes <alanstokes@google.com> Wed Jan 05 16:05:54 2022 +0000
committer Alan Stokes <alanstokes@google.com> Wed Jan 05 18:06:27 2022 +0000
tree 626b04806c79fd07d95cad18bff8a466f629a0f1
parent ee113cf13274073fe20dd54dbf0682c7d19ccfe1

Allow compos to run derive_classpath

We run it in the compos domain, since it doesn't require very much
additional access.

Bug: 189164487
Test: composd_cmd test-compile
Change-Id: I9ef26dd60225505086e45185289e3e03d0a8de8e

microdroid/system/private/compos.te

diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index cbf09ad..174eda3 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -26,6 +26,14 @@
 # Allow locating the authfs mount directory.
 allow compos authfs_data_file:dir search;
 
+# Run derive_classpath in our domain
+allow compos derive_classpath_exec:file rx_file_perms;
+allow compos apex_mnt_dir:dir r_dir_perms;
+# Ignore harmless denials on /proc/self/fd
+dontaudit compos self:dir write;
+# See b/35323867#comment3
+dontaudit compos self:global_capability_class_set dac_override;
+
 # Allow domain transition into odrefresh and dex2oat.
 # TODO(b/209008712): Remove dex2oat once the migration is done.
 domain_auto_trans(compos, odrefresh_exec, odrefresh)