commit ebcec9b8bbf6c725aaaaf6122cbb47cbca44569a
author Calin Juravle <calin@google.com> Wed Mar 15 18:47:06 2017 -0700
committer Calin Juravle <calin@google.com> Wed Mar 15 18:47:13 2017 -0700
tree b99baa1dfc2019e6b64ed744202674879c44b957
parent 9d59041f63b22f3d1b59faa9afeb5bf2a02e3e17

Allow profman to analyze profiles for the secondary dex files

The secondary dex files are application dex files which gets reported
back to the framework when using BaseDexClassLoader.

Also, give dex2oat lock permissions as it needs to lock the profile
during compilation.

Example of SElinux denial:
03-15 12:38:46.967  7529  7529 I profman : type=1400 audit(0.0:225):
avc: denied { read } for
path="/data/data/com.google.android.googlequicksearchbox/files/velour/verified_jars/JDM5LaUbYP1JPOLzJ81GLzg_1.jar.prof"
dev="sda35" ino=877915 scontext=u:r:profman:s0
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=1

Test: adb shell cmd package bg-dexopt-job works for sercondary dex files
Bug: 26719109
Change-Id: Ie1890d8e36c062450bd6c54f4399fc0730767dbf

public/dex2oat.te

diff --git a/public/dex2oat.te b/public/dex2oat.te
index e547296..72b04a1 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -24,7 +24,7 @@
 
 # Allow dex2oat to compile app's secondary dex files which were reported back to
 # the framework.
-allow dex2oat app_data_file:file { getattr read write };
+allow dex2oat app_data_file:file { getattr read write lock };
 
 ##################
 # A/B OTA Dexopt #

public/profman.te

diff --git a/public/profman.te b/public/profman.te
index ff81540..a5c18b5 100644
--- a/public/profman.te
+++ b/public/profman.te
@@ -14,6 +14,11 @@
 
 allow profman installd:fd use;
 
+# Allow profman to analyze profiles for the secondary dex files. These
+# are application dex files reported back to the framework when using
+# BaseDexClassLoader.
+allow profman app_data_file:file { getattr read write lock };
+
 ###
 ### neverallow rules
 ###