2a017b61a6
Bug: 209488862
Test: Follow instructions in b/209488862#comment12, compilation can
only succeed with this patch
Change-Id: I6475a1be0db635de96b9f8fdbf9dd3a76c3a759b
36 lines
1.3 KiB
Text
36 lines
1.3 KiB
Text
# dex2oat
|
|
type dex2oat, domain, coredomain;
|
|
type dex2oat_exec, system_file_type, exec_type, file_type;
|
|
|
|
userfaultfd_use(dex2oat)
|
|
|
|
allow dex2oat tmpfs:file { read getattr map };
|
|
|
|
# Allow dex2oat to use FDs from authfs_service via compos.
|
|
allow dex2oat authfs_service:fd use;
|
|
allow dex2oat compos:fd use;
|
|
allow dex2oat odrefresh:fd use;
|
|
|
|
# Allow dex2oat to read/write FDs on authfs_fuse filesystem.
|
|
allow dex2oat authfs_fuse:file { read write getattr map };
|
|
|
|
# Allow to search in authfs directories.
|
|
allow dex2oat authfs_data_file:dir { search };
|
|
allow dex2oat authfs_fuse:dir { search };
|
|
|
|
# Minijail uses pipe for the parent process to signal the child (as a fallback
|
|
# mechanism, since Android does not support minijail's preload).
|
|
# TODO(196109647): We can probably remove this once the minijail preload is
|
|
# supported on Android.
|
|
allow dex2oat compos:fifo_file read;
|
|
|
|
# Allow acquiring advisory lock on /system/framework/<arch>/*
|
|
allow dex2oat system_file:file lock;
|
|
|
|
# Allow dex2oat to read /apex/apex-info-list.xml
|
|
allow dex2oat apex_info_file:file r_file_perms;
|
|
|
|
# Don't audit because we don't configure the compiler through system properties
|
|
# in the VM.
|
|
dontaudit dex2oat dalvik_config_prop:file { open read getattr map };
|
|
dontaudit dex2oat device_config_runtime_native_prop:file { open read getattr map };
|