Sepolicy: Add base runtime APEX preinstall policies Add art_apex_preinstall domain that is allowed to create AoT artifacts in /data/ota. Bug: 125474642 Test: m Change-Id: Ia091d8df34c4be4f84c2052d3c333a0e36bcb036

commit: ae127d8340291640c7fbad99219560b0ca21ccd9 [log] [tgz]
author: Andreas Gampe <agampe@google.com> Thu Feb 07 16:26:00 2019 -0800
committer: Andreas Gampe <agampe@google.com> Thu Feb 28 05:12:56 2019 -0800
tree: f923176dcba7d7359aca042e1af22e86b8ba41b4
parent: 83f65ebbb29f9ca85f6a22ed26b7364743d612cf [diff] [blame]
diff --git a/private/dex2oat.te b/private/dex2oat.te
index c529d11..47c78a0 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te

@@ -68,6 +68,16 @@
 # create them itself (and make them world-readable).
 allow dex2oat ota_data_file:file { create w_file_perms setattr };
 
+###############
+# APEX Update #
+###############
+
+# /dev/zero is inherited.
+allow dex2oat apexd:fd use;
+
+# Allow dex2oat to use file descriptors from preinstall.
+allow dex2oat art_apex_preinstall:fd use;
+
 ##############
 # Neverallow #
 ##############
commit	ae127d8340291640c7fbad99219560b0ca21ccd9	[log] [tgz]
author	Andreas Gampe <agampe@google.com>	Thu Feb 07 16:26:00 2019 -0800
committer	Andreas Gampe <agampe@google.com>	Thu Feb 28 05:12:56 2019 -0800
tree	f923176dcba7d7359aca042e1af22e86b8ba41b4
parent	83f65ebbb29f9ca85f6a22ed26b7364743d612cf [diff] [blame]