From 7a257541e9399ff27bf31f32e0b6ea53d6f5c05f Mon Sep 17 00:00:00 2001
From: Jiakai Zhang <jiakaiz@google.com>
Date: Wed, 22 May 2024 17:09:06 +0100
Subject: [PATCH] Allow system_server to reopen its own memfd.

Bug: 311377497
Test: Run Pre-reboot Dexopt.
Change-Id: Ic6e273732a042f0906fad7ffa73a3e45af2adde5
---
 private/system_server.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/private/system_server.te b/private/system_server.te
index d05798d06..2942b93b4 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1642,6 +1642,11 @@ neverallow {
 # in Pre-reboot Dexopt.
 allow system_server pre_reboot_dexopt_file:dir { getattr search };
 
+# Allow system_server to reopen its own memfd.
+# system_server needs to copy the new service-art.jar to a memfd and reopen it with the path
+# /proc/self/fd/<fd> with a classloader.
+allow system_server system_server_tmpfs:file open;
+
 # Do not allow any domain other than init or system server to get or set the property
 neverallow { domain -init -system_server } crashrecovery_prop:property_service set;
 neverallow { domain -init -dumpstate -system_server } crashrecovery_prop:file no_rw_file_perms;