From 3fad86bb8a055f06123fce561531f64c6429572c Mon Sep 17 00:00:00 2001
From: Alan Stokes <alanstokes@google.com>
Date: Tue, 4 Jan 2022 17:34:53 +0000
Subject: [PATCH] Allow VS to run derive_classpath

We run it in our domain since it requires fairly minimal access.

Bug: 210472252
Test: atest virtualizationservice_device_test
Test: composd_cmd test-compile
Change-Id: Ia770cd38bda67f79f56549331d3a36d7979a5d5b
---
 private/virtualizationservice.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 1418642a6..d304ae657 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -52,6 +52,10 @@ allow virtualizationservice apex_data_file:dir search;
 allow virtualizationservice staging_data_file:file r_file_perms;
 allow virtualizationservice staging_data_file:dir search;
 
+# Run derive_classpath in our domain
+allow virtualizationservice derive_classpath_exec:file rx_file_perms;
+allow virtualizationservice apex_mnt_dir:dir r_dir_perms;
+
 # Let virtualizationservice to accept vsock connection from the guest VMs
 allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
 
@@ -61,6 +65,7 @@ allowxperm virtualizationservice kvm_device:chr_file ioctl KVM_CHECK_EXTENSION;
 
 # Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
 set_prop(virtualizationservice, virtualizationservice_prop)
+
 neverallow {
   domain
   -init