Merge "Allow compos to run derive_classpath"

microdroid/system/private/compos.te

@@ -26,6 +26,14 @@ allow compos authfs_fuse:file create_file_perms;
 # Allow locating the authfs mount directory.
 allow compos authfs_data_file:dir search;
 
+# Run derive_classpath in our domain
+allow compos derive_classpath_exec:file rx_file_perms;
+allow compos apex_mnt_dir:dir r_dir_perms;
+# Ignore harmless denials on /proc/self/fd
+dontaudit compos self:dir write;
+# See b/35323867#comment3
+dontaudit compos self:global_capability_class_set dac_override;
+
 # Allow domain transition into odrefresh and dex2oat.
 # TODO(b/209008712): Remove dex2oat once the migration is done.
 domain_auto_trans(compos, odrefresh_exec, odrefresh)

microdroid/system/private/derive_classpath.te

@@ -0,0 +1 @@
+type derive_classpath_exec, system_file_type, exec_type, file_type;