From e843044cc1837e12060cf120edb265b2fc874ab3 Mon Sep 17 00:00:00 2001
From: Andreas Gampe <agampe@google.com>
Date: Tue, 11 Apr 2017 20:33:37 -0700
Subject: [PATCH] sepolicy: Allow postinstall_dexopt /vendor/app access

Follow-up to commit 1b5f81a2d2fd0a09de75b416c3e995c4b9728192.

Bug: 36681210
Bug: 37158297
Test: lunch sailfish-userdebug && m
Test: Manually run OTA
Change-Id: Ifb4808c9255842a51a660c07ffd924cef52024c5
---
 public/domain.te             | 2 ++
 public/postinstall_dexopt.te | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/public/domain.te b/public/domain.te
index 66029f812..2a27ad965 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -686,6 +686,7 @@ full_treble_only(`
         -idmap
         -init
         -installd
+        -postinstall_dexopt
         -system_server
     } vendor_app_file:dir { open read getattr search };
 
@@ -696,6 +697,7 @@ full_treble_only(`
         -idmap
         -init
         -installd
+        -postinstall_dexopt
         -system_server
     } vendor_app_file:{ file lnk_file } r_file_perms;
 
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index 76001f7bb..b66c9274b 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -17,6 +17,8 @@ allow postinstall_dexopt tmpfs:file read;
 
 # Read app data (APKs) as input to dex2oat.
 r_dir_file(postinstall_dexopt, apk_data_file)
+# Read vendor app data (APKs) as input to dex2oat.
+r_dir_file(postinstall_dexopt, vendor_app_file)
 # Access to app oat directory.
 r_dir_file(postinstall_dexopt, dalvikcache_data_file)