From 6c874fb295ef557c7bb103e09f43c4671387ad91 Mon Sep 17 00:00:00 2001 From: Victor Hsieh Date: Wed, 23 Mar 2022 17:19:39 -0700 Subject: [PATCH] Allow odrefresh to use userfaultfd This isn't really used at the moment, but since the decision was to keep the capability for future ART change, we should also allow it in CompOS for consistency. While I'm on in, rearrange the policy to group mirrored policies together. Bug: 209488862 Test: None Change-Id: Id6afafc42005e711127a1e0831d4dd03e48959eb --- microdroid/system/private/odrefresh.te | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/microdroid/system/private/odrefresh.te b/microdroid/system/private/odrefresh.te index be11b697c..c08354772 100644 --- a/microdroid/system/private/odrefresh.te +++ b/microdroid/system/private/odrefresh.te @@ -8,6 +8,14 @@ domain_auto_trans(odrefresh, dex2oat_exec, dex2oat) # Allow odrefresh to kill dex2oat if compilation times out. allow odrefresh dex2oat:process sigkill; +userfaultfd_use(odrefresh) + +# Allow odrefresh to read /apex/apex-info-list.xml to gather information of +# the current APEXes. +allow odrefresh apex_info_file:file r_file_perms; + +# The policies above are mirrored from Android's, while the below are tailored for using in CompOS. + # Allow odrefresh to read/write/lookup files/directories on authfs. allow odrefresh authfs_fuse:file create_file_perms; allow odrefresh authfs_fuse:dir create_dir_perms; @@ -15,10 +23,6 @@ allow odrefresh authfs_fuse:dir create_dir_perms; # Allow odrefresh to check the parent directory exists. allow odrefresh authfs_data_file:dir { search getattr }; -# Allow odrefresh to read /apex/apex-info-list.xml to gather information of -# the current APEXes. -allow odrefresh apex_info_file:file r_file_perms; - # Minijail uses pipe for the parent process to signal the child (as a fallback # mechanism, since Android does not support minijail's preload). # TODO(196109647): We can probably remove this once the minijail preload is