Merge "Allow odrefresh to use userfaultfd"
diff --git a/microdroid/system/private/odrefresh.te b/microdroid/system/private/odrefresh.te
index be11b69..c083547 100644
--- a/microdroid/system/private/odrefresh.te
+++ b/microdroid/system/private/odrefresh.te
@@ -8,6 +8,14 @@
# Allow odrefresh to kill dex2oat if compilation times out.
allow odrefresh dex2oat:process sigkill;
+userfaultfd_use(odrefresh)
+
+# Allow odrefresh to read /apex/apex-info-list.xml to gather information of
+# the current APEXes.
+allow odrefresh apex_info_file:file r_file_perms;
+
+# The policies above are mirrored from Android's, while the below are tailored for using in CompOS.
+
# Allow odrefresh to read/write/lookup files/directories on authfs.
allow odrefresh authfs_fuse:file create_file_perms;
allow odrefresh authfs_fuse:dir create_dir_perms;
@@ -15,10 +23,6 @@
# Allow odrefresh to check the parent directory exists.
allow odrefresh authfs_data_file:dir { search getattr };
-# Allow odrefresh to read /apex/apex-info-list.xml to gather information of
-# the current APEXes.
-allow odrefresh apex_info_file:file r_file_perms;
-
# Minijail uses pipe for the parent process to signal the child (as a fallback
# mechanism, since Android does not support minijail's preload).
# TODO(196109647): We can probably remove this once the minijail preload is