From 449abb3c40f1feba3d3fad112fee4cb6b63eff19 Mon Sep 17 00:00:00 2001
From: Andreas Gampe <agampe@google.com>
Date: Mon, 6 Jun 2016 14:51:46 -0700
Subject: [PATCH] Sepolicy: Add search rights for A/B dexopt

(cherry picked from commit 8cac25868a981bb22f7423c6d03a5fdf9df222d1)

More read rights are required now.

Bug: 25612095
Change-Id: I766b3b56064ca2f265b9d60e532cd22712f95a42
---
 dex2oat.te            | 2 +-
 postinstall_dexopt.te | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/dex2oat.te b/dex2oat.te
index c18f496b5..8c80a32a8 100644
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -29,7 +29,7 @@ allow dex2oat user_profile_data_file:file { getattr read lock };
 # Allow dex2oat to use file descriptors from otapreopt.
 allow dex2oat postinstall_dexopt:fd use;
 
-allow dex2oat postinstall_file:dir getattr;
+allow dex2oat postinstall_file:dir { getattr search };
 
 # Allow dex2oat access to files in /data/ota.
 allow dex2oat ota_data_file:dir ra_dir_perms;
diff --git a/postinstall_dexopt.te b/postinstall_dexopt.te
index 1ab929c76..e0cc25720 100644
--- a/postinstall_dexopt.te
+++ b/postinstall_dexopt.te
@@ -8,7 +8,7 @@ type postinstall_dexopt, domain;
 # init_daemon_domain(otapreopt)
 allow postinstall_dexopt self:capability { chown dac_override fowner setgid setuid };
 
-allow postinstall_dexopt postinstall_file:dir getattr;
+allow postinstall_dexopt postinstall_file:dir { getattr search };
 allow postinstall_dexopt proc:file { getattr open read };
 allow postinstall_dexopt tmpfs:file read;
 
@@ -53,3 +53,5 @@ allow postinstall_dexopt postinstall:process sigchld;
 # Allow otapreopt to use file descriptors from otapreopt_chroot.
 # TODO: Probably we can actually close file descriptors...
 allow postinstall_dexopt otapreopt_chroot:fd use;
+
+allow postinstall_dexopt cpuctl_device:dir search;
-- 
GitLab