odrefresh: add permission to sigkill child processes

(cherry picked from commit 522bcbe9e6) Ignore-AOSP-First: cherry-pick from aosp Bug: 177432913 Bug: 196969404 Test: manually decrease odrefresh compilation timeout, no avc denied Change-Id: I7dec0a3d82c82b5dea4b5f3f38d9170bb1f40840
2021-08-17 19:02:42 +01:00 · 2021-08-17 19:02:42 +01:00 · 86477d7933
commit 86477d7933
parent ff53c4d16e
2 changed files with 12 additions and 0 deletions
--- a/prebuilts/api/31.0/private/odrefresh.te
+++ b/prebuilts/api/31.0/private/odrefresh.te
@ -21,9 +21,15 @@ allow odrefresh apex_art_staging_data_file:file create_file_perms;
 # Run dex2oat in its own sandbox.
 domain_auto_trans(odrefresh, dex2oat_exec, dex2oat)

+# Allow odrefresh to kill dex2oat if compilation times out.
+allow odrefresh dex2oat:process sigkill;
+
 # Run dexoptanalyzer in its own sandbox.
 domain_auto_trans(odrefresh, dexoptanalyzer_exec, dexoptanalyzer)

+# Allow odrefresh to kill dexoptanalyzer if analysis times out.
+allow odrefresh dexoptanalyzer:process sigkill;
+
 # Use devpts and fd from odsign (which exec()'s odrefresh)
 allow odrefresh odsign_devpts:chr_file { read write };
 allow odrefresh odsign:fd use;
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@ -21,9 +21,15 @@ allow odrefresh apex_art_staging_data_file:file create_file_perms;
 # Run dex2oat in its own sandbox.
 domain_auto_trans(odrefresh, dex2oat_exec, dex2oat)

+# Allow odrefresh to kill dex2oat if compilation times out.
+allow odrefresh dex2oat:process sigkill;
+
 # Run dexoptanalyzer in its own sandbox.
 domain_auto_trans(odrefresh, dexoptanalyzer_exec, dexoptanalyzer)

+# Allow odrefresh to kill dexoptanalyzer if analysis times out.
+allow odrefresh dexoptanalyzer:process sigkill;
+
 # Use devpts and fd from odsign (which exec()'s odrefresh)
 allow odrefresh odsign_devpts:chr_file { read write };
 allow odrefresh odsign:fd use;