Sepolicy: Add search rights for A/B dexopt

(cherry picked from commit 8cac2586) More read rights are required now. Bug: 25612095 Change-Id: I766b3b56064ca2f265b9d60e532cd22712f95a42

Sepolicy: Add search rights for A/B dexopt
449abb3c · Andreas Gampe · Jeffrey Vander Stoep · 357ee67a · 449abb3c · 449abb3c
Commit 449abb3c authored 8 years ago by Andreas Gampe Committed by Jeffrey Vander Stoep 8 years ago
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -29,7 +29,7 @@ allow dex2oat user_profile_data_file:file { getattr read lock };
 # Allow dex2oat to use file descriptors from otapreopt.
 allow dex2oat postinstall_dexopt:fd use;
-allow dex2oat postinstall_file:dir getattr;
+allow dex2oat postinstall_file:dir { getattr search };
 # Allow dex2oat access to files in /data/ota.
 allow dex2oat ota_data_file:dir ra_dir_perms;

--- a/postinstall_dexopt.te
+++ b/postinstall_dexopt.te
@@ -8,7 +8,7 @@ type postinstall_dexopt, domain;
 # init_daemon_domain(otapreopt)
 allow postinstall_dexopt self:capability { chown dac_override fowner setgid setuid };
-allow postinstall_dexopt postinstall_file:dir getattr;
+allow postinstall_dexopt postinstall_file:dir { getattr search };
 allow postinstall_dexopt proc:file { getattr open read };
 allow postinstall_dexopt tmpfs:file read;
@@ -53,3 +53,5 @@ allow postinstall_dexopt postinstall:process sigchld;
 # Allow otapreopt to use file descriptors from otapreopt_chroot.
 # TODO: Probably we can actually close file descriptors...
 allow postinstall_dexopt otapreopt_chroot:fd use;
+allow postinstall_dexopt cpuctl_device:dir search;