From b5c927184f20afdb9e6a6f3a630a2c53bc0dea6e Mon Sep 17 00:00:00 2001
From: Andreas Gampe <agampe@google.com>
Date: Mon, 30 Apr 2018 09:52:54 -0700
Subject: [PATCH] Sepolicy: Modify postinstall_dexopt

Grant fsetid as it was done for installd. Suppress write to
profile files.

(cherry picked from commit 006e160b1a547ee2c9c16591135b97c4c2f85dd7)

Bug: 77958490
Test: m
Test: manual
Merged-In: I33f47db7c16f0eda41ffdb526cf43f8fa9484c62
Change-Id: I33f47db7c16f0eda41ffdb526cf43f8fa9484c62
---
 public/postinstall_dexopt.te | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index 82215300a..ffd8bc574 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -5,7 +5,7 @@
 
 type postinstall_dexopt, domain;
 
-allow postinstall_dexopt self:global_capability_class_set { chown dac_override fowner setgid setuid };
+allow postinstall_dexopt self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid };
 
 allow postinstall_dexopt postinstall_file:filesystem getattr;
 allow postinstall_dexopt postinstall_file:dir { getattr search };
@@ -26,6 +26,8 @@ r_dir_file(postinstall_dexopt, dalvikcache_data_file)
 # Read profile data.
 allow postinstall_dexopt user_profile_data_file:dir { getattr search };
 allow postinstall_dexopt user_profile_data_file:file r_file_perms;
+# Suppress deletion denial (we do not want to update the profile).
+dontaudit postinstall_dexopt user_profile_data_file:file { write };
 
 # Write to /data/ota(/*). Create symlinks in /data/ota(/*)
 allow postinstall_dexopt ota_data_file:dir create_dir_perms;
-- 
GitLab