Merge "2nd attempt in fixing sepolicy for shell+oatdump" into main
diff --git a/apex/com.android.art-file_contexts b/apex/com.android.art-file_contexts
index 14b68ad..ed12f10 100644
--- a/apex/com.android.art-file_contexts
+++ b/apex/com.android.art-file_contexts
@@ -10,5 +10,4 @@
/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
/bin/odrefresh u:object_r:odrefresh_exec:s0
/bin/profman u:object_r:profman_exec:s0
-/bin/oatdump u:object_r:oatdump_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/private/file.te b/private/file.te
index f8a48cd..d30465b 100644
--- a/private/file.te
+++ b/private/file.te
@@ -38,6 +38,7 @@
type uprobestats_configs_data_file, file_type, data_file_type, core_data_file_type;
# /apex/com.android.art/bin/oatdump
+# TODO (b/350628688): Remove this once it's safe to do so.
type oatdump_exec, system_file_type, exec_type, file_type;
# /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes
diff --git a/private/shell.te b/private/shell.te
index d613a94..6d6e06f 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -262,6 +262,7 @@
get_prop(shell, build_attestation_prop)
# Allow shell to execute oatdump.
+# TODO (b/350628688): Remove this once it's safe to do so.
allow shell oatdump_exec:file rx_file_perms;
# Allow shell access to socket for test
diff --git a/private/uprobestats.te b/private/uprobestats.te
index f6dd906..2c5711f 100644
--- a/private/uprobestats.te
+++ b/private/uprobestats.te
@@ -16,7 +16,7 @@
allow uprobestats sysfs_uprobe:dir { search };
# Allow uprobestats to popen oatdump.
-allow uprobestats oatdump_exec:file rx_file_perms;
+allow uprobestats system_file:file rx_file_perms;
# Allow uprobestats to write atoms to statsd
unix_socket_send(uprobestats, statsdw, statsd)