Merge "Revert "Suppress denials for odsign console"" into main am: c087c0b98c

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3101601 Change-Id: Ifb6d5d5a8024f090006387d6af962184c87427e5 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-05-24 13:38:31 +00:00 · 2024-05-24 13:38:31 +00:00 · 07e0507c74
commit 07e0507c74
parent c488d0bd8f c087c0b98c
1 changed files with 3 additions and 4 deletions
--- a/private/compos_verify.te
+++ b/private/compos_verify.te
@ -15,10 +15,9 @@ allow compos_verify apex_compos_data_file:file { rw_file_perms create };
 allow compos_verify apex_art_data_file:dir search;
 allow compos_verify apex_art_data_file:file r_file_perms;

-# odsign runs us with its console as our stdin/stdout/stderr.
-# But we never use them; logs go to logcat. Suppress the useless denials.
-dontaudit compos_verify odsign:fd use;
-dontaudit compos_verify odsign_devpts:chr_file { read write };
+# Allow odsign to redirect our stdout/stderr to log
+allow compos_verify odsign:fd use;
+allow compos_verify odsign_devpts:chr_file { read write };

 # Only odsign can enter the domain via exec
 neverallow { domain -odsign } compos_verify:process transition;