7026c1043b
We recently started to forward dalvik related system properties to
CompOS for odrefresh to use. The properties are set indeed, but we
still need to allow odrefresh to use.
Bug: 231579544
Test: Cherry pick aosp/2096406, run composd_cmd test-compile
See ro.dalvik.vm.*, dalvik.vm.* and
persist.device_config.runtime_native_boot.enable_uffd_gc
properties in cache-info.xml
Ignore-AOSP-First: Will cherry pick
Change-Id: I5a44384bf39c572878b1d305c3df9860d9324eda
Merged-In: I5a44384bf39c572878b1d305c3df9860d9324eda
44 lines
1.8 KiB
Text
44 lines
1.8 KiB
Text
# odrefresh
|
|
type odrefresh, domain, coredomain;
|
|
type odrefresh_exec, system_file_type, exec_type, file_type;
|
|
|
|
# Run dex2oat in its own sandbox.
|
|
domain_auto_trans(odrefresh, dex2oat_exec, dex2oat)
|
|
|
|
# Allow odrefresh to kill dex2oat if compilation times out.
|
|
allow odrefresh dex2oat:process sigkill;
|
|
|
|
userfaultfd_use(odrefresh)
|
|
|
|
# Allow odrefresh to read /apex/apex-info-list.xml to gather information of
|
|
# the current APEXes.
|
|
allow odrefresh apex_info_file:file r_file_perms;
|
|
|
|
# The policies above are mirrored from Android's, while the below are tailored for using in CompOS.
|
|
|
|
# Allow odrefresh to read/write/lookup files/directories on authfs.
|
|
allow odrefresh authfs_fuse:file create_file_perms;
|
|
allow odrefresh authfs_fuse:dir create_dir_perms;
|
|
|
|
# Allow odrefresh to check the parent directory exists.
|
|
allow odrefresh authfs_data_file:dir { search getattr };
|
|
|
|
# Minijail uses pipe for the parent process to signal the child (as a fallback
|
|
# mechanism, since Android does not support minijail's preload).
|
|
# TODO(196109647): We can probably remove this once the minijail preload is
|
|
# supported on Android.
|
|
allow odrefresh compos:fifo_file read;
|
|
|
|
# Allow using FDs from the parent. It's possible that this could be avoided,
|
|
# if we close fd 0-2 before execute. But minijial replaces them with /dev/null
|
|
# (unless specified otherwise). Without allowing the use, the execution will
|
|
# fail immediately. See b/210909688.
|
|
allow odrefresh compos:fd use;
|
|
|
|
# Allow odrefresh to read all dalvik system properties. odrefresh needs to record the relevant ones
|
|
# in the output for later verification check.
|
|
get_prop(odrefresh, dalvik_config_prop)
|
|
get_prop(odrefresh, device_config_runtime_native_boot_prop)
|
|
|
|
# Silently ignore the write to properties, e.g. for setting boot animation progress.
|
|
dontaudit odrefresh property_socket:sock_file write;
|