Remove app_data_file:dir access from dexoptanalyzer.
It only accesses already-open file handles since b/67111829, so has no
need for any access to the directories, not even search access.
Fixes: 161960094
Bug: 141677108
Test: boot, install app
Test: cmd package force-dex-opt <package>
Test: cmd package bg-dexopt-job
Test: No denials seen.
Change-Id: I23dca1f038351be759dd16dff18d16d158604c3c
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index a2b2b01..b8b7b30 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -11,7 +11,7 @@
# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
# own label, which differs from other labels created by other processes.
# This allows to distinguish in policy files created by dexoptanalyzer vs other
-#processes.
+# processes.
tmpfs_domain(dexoptanalyzer)
# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
@@ -28,12 +28,7 @@
# Allow reading secondary dex files that were reported by the app to the
# package manager.
-allow dexoptanalyzer { privapp_data_file app_data_file }:dir { getattr search };
allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map };
-# dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
-# "dontaudit...audit_access" policy line to suppress the audit access without
-# suppressing denial on actual access.
-dontaudit dexoptanalyzer { privapp_data_file app_data_file }:dir audit_access;
# Allow testing /data/user/0 which symlinks to /data/data
allow dexoptanalyzer system_data_file:lnk_file { getattr };