Remove unnecessary privileges from dex2oat in VM With a change in dex2oat to avoid opening /proc/self/fd, this change removes open and a few other privileges from dex2oat. Bug: 196404749 Test: ComposHostTestCases Change-Id: I822c7ef3886a1cde8601e71afa2eb79973cd573c

commit: dedb4909c36999022a87d90160ad29db9bfe0bbd [log] [tgz]
author: Victor Hsieh <victorhsieh@google.com> Thu Aug 19 13:59:37 2021 -0700
committer: Victor Hsieh <victorhsieh@google.com> Thu Aug 19 14:01:59 2021 -0700
tree: 0a619582db0cfcd7f01bc729d12583c1e21ed956
parent: 26d95ebaab1033a70539785088a4f02ea0dcabe5 [diff]
diff --git a/microdroid/system/private/dex2oat.te b/microdroid/system/private/dex2oat.te
index cde824b..bf44251 100644
--- a/microdroid/system/private/dex2oat.te
+++ b/microdroid/system/private/dex2oat.te

@@ -9,7 +9,7 @@
 allow dex2oat compos:fd use;
 
 # Allow dex2oat to read/write FDs on authfs_fuse filesystem.
-allow dex2oat authfs_fuse:file rw_file_perms;
+allow dex2oat authfs_fuse:file { read write getattr map };
 
 # Minijail uses pipe for the parent process to signal the child (as a fallback
 # mechanism, since Android does not support minijail's preload).
commit	dedb4909c36999022a87d90160ad29db9bfe0bbd	[log] [tgz]
author	Victor Hsieh <victorhsieh@google.com>	Thu Aug 19 13:59:37 2021 -0700
committer	Victor Hsieh <victorhsieh@google.com>	Thu Aug 19 14:01:59 2021 -0700
tree	0a619582db0cfcd7f01bc729d12583c1e21ed956
parent	26d95ebaab1033a70539785088a4f02ea0dcabe5 [diff]