Fix sepolicy for secondary dex files am: de7244cf23

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1360752 Change-Id: I42e7ae0da2d566c983f706194510ec3b543af925
2020-07-15 18:42:58 +00:00 · 2020-07-15 18:42:58 +00:00 · 150e00dd75
commit 150e00dd75
parent 0dbb6abf7d de7244cf23
4 changed files with 12 additions and 0 deletions
--- a/prebuilts/api/30.0/private/coredomain.te
+++ b/prebuilts/api/30.0/private/coredomain.te
@ -22,6 +22,7 @@ full_treble_only(`
        coredomain
        -appdomain
        -dex2oat
+        -dexoptanalyzer
        -idmap
        -init
        -installd
@ -38,6 +39,7 @@ full_treble_only(`
        coredomain
        -appdomain
        -dex2oat
+        -dexoptanalyzer
        -idmap
        -init
        -installd
--- a/prebuilts/api/30.0/private/dexoptanalyzer.te
+++ b/prebuilts/api/30.0/private/dexoptanalyzer.te
@ -3,6 +3,10 @@ type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
 type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
 type dexoptanalyzer_tmpfs, file_type;

+r_dir_file(dexoptanalyzer, apk_data_file)
+# Access to /vendor/app
+r_dir_file(dexoptanalyzer, vendor_app_file)
+
 # Reading an APK opens a ZipArchive, which unpack to tmpfs.
 # Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
 # own label, which differs from other labels created by other processes.
--- a/private/coredomain.te
+++ b/private/coredomain.te
@ -39,6 +39,7 @@ full_treble_only(`
        coredomain
        -appdomain
        -dex2oat
+        -dexoptanalyzer
        -idmap
        -init
        -installd
@ -55,6 +56,7 @@ full_treble_only(`
        coredomain
        -appdomain
        -dex2oat
+        -dexoptanalyzer
        -idmap
        -init
        -installd
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@ -3,6 +3,10 @@ type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
 type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
 type dexoptanalyzer_tmpfs, file_type;

+r_dir_file(dexoptanalyzer, apk_data_file)
+# Access to /vendor/app
+r_dir_file(dexoptanalyzer, vendor_app_file)
+
 # Reading an APK opens a ZipArchive, which unpack to tmpfs.
 # Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
 # own label, which differs from other labels created by other processes.