Merge "Allow compos_fd_server to create artifacts" am: afc596f8f8

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1922442 Change-Id: I32287f968e6e651db150f9306a383f36f5e3582c
2021-12-15 11:36:20 +00:00 · 2021-12-15 11:36:20 +00:00 · 29a90d33cb
commit 29a90d33cb
parent 29be9a0edf afc596f8f8
2 changed files with 8 additions and 3 deletions
--- a/private/compos_fd_server.te
+++ b/private/compos_fd_server.te
@ -4,15 +4,18 @@ type compos_fd_server, domain, coredomain;
 # Allow access to open fds inherited from odrefresh - read inputs, generate outputs
 # TODO(b/209008712): Remove once migration is done.
 allow compos_fd_server odrefresh:fd use;
-allow compos_fd_server apex_art_data_file:file { getattr read };

 # Allow access to open fds inherited from composd
 allow compos_fd_server composd:fd use;

-# Allow creating new files and directory in the staging directory.
+# Allow creating new files and directories in the staging directory.
 allow compos_fd_server apex_art_staging_data_file:dir create_dir_perms;
 allow compos_fd_server apex_art_staging_data_file:file create_file_perms;

+# Allow creating new files and directories in the artifacts directory.
+allow compos_fd_server apex_art_data_file:dir create_dir_perms;
+allow compos_fd_server apex_art_data_file:file create_file_perms;
+
 # Use a pipe to signal readiness
 # TODO(b/205750213): Removed odrefresh when we run odrefresh in the VM
 allow compos_fd_server odrefresh:fifo_file write;
--- a/private/domain.te
+++ b/private/domain.te
@ -305,6 +305,7 @@ neverallow {
 neverallow {
  domain
  # art processes
+  -compos_fd_server
  -odrefresh
  -odsign
  # others
@ -316,9 +317,10 @@ neverallow {
 neverallow {
  domain
  # art-related processes
+  -compos_fd_server
  -odrefresh
  -odsign
-  -composd
+  -composd  # TODO: Remove
  # others
  -apexd
  -init