Skip to content
Snippets Groups Projects
Commit 06aee357 authored by Jeff Vander Stoep's avatar Jeff Vander Stoep
Browse files

dexoptanalyzer: suppress access(2) denial

A legitimate call to access(2) is generating a denial. Use the
audit_access permission to suppress the denial on just the access()
call.

avc: denied { write } for name="verified_jars"
scontext=u:r:dexoptanalyzer:s0
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir

Bug: 62597207
Test: build policy
Test: The following cmd succeeds but no longer generates a denial
    adb shell cmd package compile -r bg-dexopt --secondary-dex \
    com.google.android.googlequicksearchbox

Change-Id: I7d03df2754c24c039bce11426bf8f317232f5e5f
(cherry picked from commit 575e6270)
parent 2be9799b
No related branches found
No related tags found
No related merge requests found
......@@ -21,6 +21,10 @@ allow dexoptanalyzer installd:fd use;
# package manager.
allow dexoptanalyzer app_data_file:dir { getattr search };
allow dexoptanalyzer app_data_file:file r_file_perms;
# dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
# "dontaudit...audit_access" policy line to suppress the audit access without
# suppressing denial on actual access.
dontaudit dexoptanalyzer app_data_file:dir audit_access;
# Allow testing /data/user/0 which symlinks to /data/data
allow dexoptanalyzer system_data_file:lnk_file { getattr };
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment