Sepolicy: Add search rights for A/B dexopt
More read rights are required now.
Bug: 25612095
Change-Id: I766b3b56064ca2f265b9d60e532cd22712f95a42
diff --git a/dex2oat.te b/dex2oat.te
index 48daac3..fdf5536 100644
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -24,7 +24,7 @@
# Allow dex2oat to use file descriptors from otapreopt.
allow dex2oat postinstall_dexopt:fd use;
-allow dex2oat postinstall_file:dir getattr;
+allow dex2oat postinstall_file:dir { getattr search };
# Allow dex2oat access to files in /data/ota.
allow dex2oat ota_data_file:dir ra_dir_perms;
diff --git a/postinstall_dexopt.te b/postinstall_dexopt.te
index dbc76df..1a236fc 100644
--- a/postinstall_dexopt.te
+++ b/postinstall_dexopt.te
@@ -8,7 +8,7 @@
# init_daemon_domain(otapreopt)
allow postinstall_dexopt self:capability { chown dac_override fowner setgid setuid };
-allow postinstall_dexopt postinstall_file:dir getattr;
+allow postinstall_dexopt postinstall_file:dir { getattr search };
allow postinstall_dexopt proc:file { getattr open read };
allow postinstall_dexopt tmpfs:file read;
@@ -55,3 +55,5 @@
# Allow otapreopt to use file descriptors from otapreopt_chroot.
# TODO: Probably we can actually close file descriptors...
allow postinstall_dexopt otapreopt_chroot:fd use;
+
+allow postinstall_dexopt cpuctl_device:dir search;
