From ebcec9b8bbf6c725aaaaf6122cbb47cbca44569a Mon Sep 17 00:00:00 2001
From: Calin Juravle <calin@google.com>
Date: Wed, 15 Mar 2017 18:47:06 -0700
Subject: [PATCH] Allow profman to analyze profiles for the secondary dex files

The secondary dex files are application dex files which gets reported
back to the framework when using BaseDexClassLoader.

Also, give dex2oat lock permissions as it needs to lock the profile
during compilation.

Example of SElinux denial:
03-15 12:38:46.967  7529  7529 I profman : type=1400 audit(0.0:225):
avc: denied { read } for
path="/data/data/com.google.android.googlequicksearchbox/files/velour/verified_jars/JDM5LaUbYP1JPOLzJ81GLzg_1.jar.prof"
dev="sda35" ino=877915 scontext=u:r:profman:s0
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=1

Test: adb shell cmd package bg-dexopt-job works for sercondary dex files
Bug: 26719109
Change-Id: Ie1890d8e36c062450bd6c54f4399fc0730767dbf
---
 public/dex2oat.te | 2 +-
 public/profman.te | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/public/dex2oat.te b/public/dex2oat.te
index e5472960f..72b04a107 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -24,7 +24,7 @@ allow dex2oat user_profile_data_file:file { getattr read lock };
 
 # Allow dex2oat to compile app's secondary dex files which were reported back to
 # the framework.
-allow dex2oat app_data_file:file { getattr read write };
+allow dex2oat app_data_file:file { getattr read write lock };
 
 ##################
 # A/B OTA Dexopt #
diff --git a/public/profman.te b/public/profman.te
index ff8154060..a5c18b51d 100644
--- a/public/profman.te
+++ b/public/profman.te
@@ -14,6 +14,11 @@ allow profman profman_dump_data_file:file { write };
 
 allow profman installd:fd use;
 
+# Allow profman to analyze profiles for the secondary dex files. These
+# are application dex files reported back to the framework when using
+# BaseDexClassLoader.
+allow profman app_data_file:file { getattr read write lock };
+
 ###
 ### neverallow rules
 ###
-- 
GitLab