From 9112c9aa6d86590b2455e72c5f9e7120fda13443 Mon Sep 17 00:00:00 2001
From: Alan Stokes <alanstokes@google.com>
Date: Tue, 19 Oct 2021 16:50:24 +0100
Subject: [PATCH] Allow system server to access composd.

Also allow composd to kill odrefresh (it execs it); this is necessary
for cancel() to work.

Bug: 199147668
Test: manual
Change-Id: I233cac50240130da2f4e99f452697c1162c10c40
---
 private/composd.te       | 7 ++++++-
 private/system_server.te | 2 ++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/private/composd.te b/private/composd.te
index 4f851252c..5edea69a8 100644
--- a/private/composd.te
+++ b/private/composd.te
@@ -6,6 +6,9 @@ init_daemon_domain(composd)
 binder_use(composd)
 add_service(composd, compos_service)
 
+# Call back into system server
+binder_call(composd, system_server)
+
 # Start a VM
 virtualizationservice_use(composd)
 
@@ -14,5 +17,7 @@ allow composd apex_module_data_file:dir search;
 allow composd apex_compos_data_file:dir create_dir_perms;
 allow composd apex_compos_data_file:file create_file_perms;
 
-# Run odrefresh to refresh ART artifacts
+# TODO(b/205750213): Removed these when we run odrefresh in the VM
+# Run odrefresh to refresh ART artifacts, and kill it if we need to
 domain_auto_trans(composd, odrefresh_exec, odrefresh)
+allow composd odrefresh:process sigkill;
diff --git a/private/system_server.te b/private/system_server.te
index 9f620c20a..8227c29dd 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -262,6 +262,7 @@ allow system_server app_zygote:unix_stream_socket { read write connectto setopt
 binder_use(system_server)
 binder_call(system_server, appdomain)
 binder_call(system_server, binderservicedomain)
+binder_call(system_server, composd)
 binder_call(system_server, dumpstate)
 binder_call(system_server, fingerprintd)
 binder_call(system_server, gatekeeperd)
@@ -849,6 +850,7 @@ allow system_server audioserver_service:service_manager find;
 allow system_server authorization_service:service_manager find;
 allow system_server batteryproperties_service:service_manager find;
 allow system_server cameraserver_service:service_manager find;
+allow system_server compos_service:service_manager find;
 allow system_server dataloader_manager_service:service_manager find;
 allow system_server dnsresolver_service:service_manager find;
 allow system_server drmserver_service:service_manager find;