Allow vendor_overlay_file from vendor apex
Path to vendor overlays should be accessible to those processes with
access to vendor_overlay_file. This is okay when overlays are under
/vendor/overlay because vendor_file:dir is accessible from all domains.
However, when a vendor overlay file is served from a vendor apex, then
the mount point of the apex should be allowed explicitly for 'getattr'
and 'search'.
Bug: 285075529
Test: presubmit tests
Change-Id: I393abc76ab7169b65fdee5aefd6da5ed1c6b8586
diff --git a/private/dex2oat.te b/private/dex2oat.te
index 23f7444..379e32c 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -12,6 +12,8 @@
allow dex2oat vendor_framework_file:file { getattr open read map };
# Access /vendor/overlay
r_dir_file(dex2oat, vendor_overlay_file);
+# Vendor overlay can be found in vendor apex
+allow dex2oat vendor_apex_metadata_file:dir { getattr search };
allow dex2oat tmpfs:file { read getattr map };