dexoptanalyzer: suppress access(2) denial

A legitimate call to access(2) is generating a denial. Use the audit_access permission to suppress the denial on just the access() call. avc: denied { write } for name="verified_jars" scontext=u:r:dexoptanalyzer:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir Bug: 62597207 Test: build policy Test: The following cmd succeeds but no longer generates a denial adb shell cmd package compile -r bg-dexopt --secondary-dex \ com.google.android.googlequicksearchbox Change-Id: I7d03df2754c24c039bce11426bf8f317232f5e5f (cherry picked from commit 575e6270)

dexoptanalyzer: suppress access(2) denial
A legitimate call to access(2) is generating a denial. Use the audit_access permission to suppress the denial on just the access() call. avc: denied { write } for name="verified_jars" scontext=u:r:dexoptanalyzer:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir Bug: 62597207 Test: build policy Test: The following cmd succeeds but no longer generates a denial adb shell cmd package compile -r bg-dexopt --secondary-dex \ com.google.android.googlequicksearchbox Change-Id: I7d03df2754c24c039bce11426bf8f317232f5e5f (cherry picked from commit 575e6270)
06aee357 · Jeff Vander Stoep · 2be9799b · 06aee357
Commit 06aee357 authored 7 years ago by Jeff Vander Stoep
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -21,6 +21,10 @@ allow dexoptanalyzer installd:fd use;
 # package manager.
 allow dexoptanalyzer app_data_file:dir { getattr search };
 allow dexoptanalyzer app_data_file:file r_file_perms;
+# dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
+# "dontaudit...audit_access" policy line to suppress the audit access without
+# suppressing denial on actual access.
+dontaudit dexoptanalyzer app_data_file:dir audit_access;

 # Allow testing /data/user/0 which symlinks to /data/data
 allow dexoptanalyzer system_data_file:lnk_file { getattr };