From 5fcce9ded3a621ba94e273317b5a331d4d2ad230 Mon Sep 17 00:00:00 2001 From: Orion Hodson Date: Mon, 19 Jul 2021 18:58:43 +0100 Subject: [PATCH] postinstall_dexopt: allow reading odsign.verification.status Allows dexopt to read odsign verification status and use on-device generated artifacts when dexopting after an OTA. Bug: 194069492 Test: manually apply ota, see no denials for reading property Change-Id: I97acfc17ffd9291d1a81906c75039f01624dff0f --- prebuilts/api/31.0/private/postinstall_dexopt.te | 3 +++ private/postinstall_dexopt.te | 3 +++ 2 files changed, 6 insertions(+) diff --git a/prebuilts/api/31.0/private/postinstall_dexopt.te b/prebuilts/api/31.0/private/postinstall_dexopt.te index 94af0436b..2fdc94123 100644 --- a/prebuilts/api/31.0/private/postinstall_dexopt.te +++ b/prebuilts/api/31.0/private/postinstall_dexopt.te @@ -32,6 +32,9 @@ allow postinstall_dexopt rootfs:file r_file_perms; allow postinstall_dexopt tmpfs:file read; +# Allow access odsign verification status +get_prop(postinstall_dexopt, odsign_prop) + # Allow access to /postinstall/apex. allow postinstall_dexopt postinstall_apex_mnt_dir:dir { getattr search }; diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te index 94af0436b..2fdc94123 100644 --- a/private/postinstall_dexopt.te +++ b/private/postinstall_dexopt.te @@ -32,6 +32,9 @@ allow postinstall_dexopt rootfs:file r_file_perms; allow postinstall_dexopt tmpfs:file read; +# Allow access odsign verification status +get_prop(postinstall_dexopt, odsign_prop) + # Allow access to /postinstall/apex. allow postinstall_dexopt postinstall_apex_mnt_dir:dir { getattr search };