From 8cbe674345b459d299a9b0f7b70b9d2e2105e8bb Mon Sep 17 00:00:00 2001
From: Andreas Gampe <agampe@google.com>
Date: Tue, 1 May 2018 10:47:35 -0700
Subject: [PATCH] Sepolicy: Modify postinstall_dexopt

Update prebuilts for API 28.

Bug: 77958490
Test: m
Test: manual
Change-Id: Ic3f8599266ff8fffdff1492a5600a10f6fecbe88
---
 prebuilts/api/28.0/public/postinstall_dexopt.te | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/prebuilts/api/28.0/public/postinstall_dexopt.te b/prebuilts/api/28.0/public/postinstall_dexopt.te
index 82215300a..ffd8bc574 100644
--- a/prebuilts/api/28.0/public/postinstall_dexopt.te
+++ b/prebuilts/api/28.0/public/postinstall_dexopt.te
@@ -5,7 +5,7 @@
 
 type postinstall_dexopt, domain;
 
-allow postinstall_dexopt self:global_capability_class_set { chown dac_override fowner setgid setuid };
+allow postinstall_dexopt self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid };
 
 allow postinstall_dexopt postinstall_file:filesystem getattr;
 allow postinstall_dexopt postinstall_file:dir { getattr search };
@@ -26,6 +26,8 @@ r_dir_file(postinstall_dexopt, dalvikcache_data_file)
 # Read profile data.
 allow postinstall_dexopt user_profile_data_file:dir { getattr search };
 allow postinstall_dexopt user_profile_data_file:file r_file_perms;
+# Suppress deletion denial (we do not want to update the profile).
+dontaudit postinstall_dexopt user_profile_data_file:file { write };
 
 # Write to /data/ota(/*). Create symlinks in /data/ota(/*)
 allow postinstall_dexopt ota_data_file:dir create_dir_perms;
-- 
GitLab