Allow dex2oat to search in authfs directories

dex2oat checks $ANDROID_ROOT exist, which is a directory in an authfs mount. Give it permission to search along the path. Strictly speaking, this isn't change how dex2oat execute in this particular case, for now. Functions like LocationIsOnSystemFramework make sure getenv(ANDROID_ROOT) exists. But either way, for those kind of location checks, it won't match the mount path in /data/misc/authfs anyway. Bug: 205750213 Test: no more SELinux denials from dex2oat Change-Id: I1b52dfdeb057443304f02784b6aa180d7db28bd8
2021-12-15 10:57:35 -08:00 · 2021-12-15 10:57:35 -08:00 · e2a4d0c918
commit e2a4d0c918
parent b415c7388f
1 changed files with 4 additions and 0 deletions
--- a/microdroid/system/private/dex2oat.te
+++ b/microdroid/system/private/dex2oat.te
@ -12,6 +12,10 @@ allow dex2oat odrefresh:fd use;
 # Allow dex2oat to read/write FDs on authfs_fuse filesystem.
 allow dex2oat authfs_fuse:file { read write getattr map };

+# Allow to search in authfs directories.
+allow dex2oat authfs_data_file:dir { search };
+allow dex2oat authfs_fuse:dir { search };
+
 # Minijail uses pipe for the parent process to signal the child (as a fallback
 # mechanism, since Android does not support minijail's preload).
 # TODO(196109647): We can probably remove this once the minijail preload is