Merge "Allow composd to create odrefresh staging directory"

commit: edf5fa00916c6e954d8aab9393c4328c1cc88c6b [log] [tgz]
author: Treehugger Robot <treehugger-gerrit@google.com> Tue Dec 07 01:07:08 2021 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Dec 07 01:07:08 2021 +0000
tree: 1a9b57245443af67ba353efbb5d9a842df777136
parent: fd3e9d838e729cb15aba38c2a69f32b61af040e5 [diff]
parent: 33aa1a3c527067aa68d194e90df885d12e31ed2b [diff]
diff --git a/private/composd.te b/private/composd.te
index e41533b..41f1a9b 100644
--- a/private/composd.te
+++ b/private/composd.te

@@ -13,6 +13,10 @@
 # Start a VM
 virtualizationservice_use(composd)
 
+# Allow preparing staging directory for odrefresh
+allow composd apex_art_data_file:dir { create_dir_perms relabelfrom };
+allow composd apex_art_staging_data_file:dir { create_dir_perms relabelto };
+
 # Access our APEX data files
 allow composd apex_module_data_file:dir search;
 allow composd apex_compos_data_file:dir create_dir_perms;

diff --git a/private/domain.te b/private/domain.te
index 5b9a5b1..24e05b5 100644
--- a/private/domain.te
+++ b/private/domain.te

@@ -315,9 +315,10 @@
 
 neverallow {
   domain
-  # art processes
+  # art-related processes
   -odrefresh
   -odsign
+  -composd
   # others
   -apexd
   -init
commit	edf5fa00916c6e954d8aab9393c4328c1cc88c6b	[log] [tgz]
author	Treehugger Robot <treehugger-gerrit@google.com>	Tue Dec 07 01:07:08 2021 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Tue Dec 07 01:07:08 2021 +0000
tree	1a9b57245443af67ba353efbb5d9a842df777136
parent	fd3e9d838e729cb15aba38c2a69f32b61af040e5 [diff]
parent	33aa1a3c527067aa68d194e90df885d12e31ed2b [diff]