Google Git
Sign in
android / platform / system / sepolicy / d3438b0f3^! / .
commitd3438b0f3c4c2ce0addc1219d4cffea304eba9c1[log] [tgz]
authorAlan Stokes <alanstokes@google.com>Wed Sep 15 14:28:12 2021 +0100
committerAlan Stokes <alanstokes@google.com>Thu Sep 16 11:14:54 2021 +0100
treeb2f3151185a91e9ca629d2b122e3292ddc12e5bd
parente494c51bc9e261a666cfc1ef57c1a8cd48f06321 [diff]
Allow composd to run odrefresh

Also allow odrefresh to run pvm_exec to talk to the CompOS VM.

And I moved the dontaudit & neverallow rules to the bottom while I was here.

Bug: 186126194
Test: adb shell apex/com.android.compos/bin/composd_cmd
Change-Id: I6f06dd6467a8eb59123d06c7179a86d9287e7f2f

diff --git a/private/composd.te b/private/composd.te
index 725e79e..4f85125 100644
--- a/private/composd.te
+++ b/private/composd.te

@@ -13,3 +13,6 @@
 allow composd apex_module_data_file:dir search;
 allow composd apex_compos_data_file:dir create_dir_perms;
 allow composd apex_compos_data_file:file create_file_perms;
+
+# Run odrefresh to refresh ART artifacts
+domain_auto_trans(composd, odrefresh_exec, odrefresh)

diff --git a/private/odrefresh.te b/private/odrefresh.te
index 3db1ae8..811b7cf 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te

@@ -34,16 +34,30 @@
 allow odrefresh odsign_devpts:chr_file { read write };
 allow odrefresh odsign:fd use;
 
+# Allow odrefresh to read /apex/apex-info-list.xml to determine
+# whether current apex is in /system or /data.
+allow odrefresh apex_info_file:file r_file_perms;
+
+# Allow updating boot animation status.
+set_prop(odrefresh, bootanim_system_prop)
+
+# Allow query ART device config properties
+get_prop(odrefresh, device_config_runtime_native_prop)
+get_prop(odrefresh, device_config_runtime_native_boot_prop)
+
+# Use inherited stdin/stdout/stderr from composd which exec()'s
+# odrefesh.
+allow odrefresh composd:fd use;
+
+# Run system binaries, e.g. pvm_exec, in the same domain
+allow odrefresh system_file:file execute_no_trans;
+
 # Do not audit unused resources from parent processes (adb, shell, su).
 # These appear to be unnecessary for odrefresh.
 dontaudit odrefresh { adbd shell }:fd use;
 dontaudit odrefresh devpts:chr_file rw_file_perms;
 dontaudit odrefresh adbd:unix_stream_socket { getattr read write };
 
-# Allow odrefresh to read /apex/apex-info-list.xml to determine
-# whether current apex is in /system or /data.
-allow odrefresh apex_info_file:file r_file_perms;
-
 # No other processes should be creating files in the staging area.
 neverallow { domain -init -odrefresh } apex_art_staging_data_file:file open;
 
@@ -51,10 +65,3 @@
 # odrefresh_data_files.
 neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:dir *;
 neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:file *;
-
-# Allow updating boot animation status.
-set_prop(odrefresh, bootanim_system_prop)
-
-# Allow query ART device config properties
-get_prop(odrefresh, device_config_runtime_native_prop)
-get_prop(odrefresh, device_config_runtime_native_boot_prop)