From 51bd92505b71657b729584487546dc85c145ccdd Mon Sep 17 00:00:00 2001 From: Orion Hodson Date: Tue, 17 Aug 2021 19:02:42 +0100 Subject: [PATCH] odrefresh: add permission to sigkill child processes (cherry picked from commit 522bcbe9e635f8f099173af1a14b5062cb3b3dac) Ignore-AOSP-First: cherry-pick from aosp Bug: 177432913 Bug: 196969404 Test: manually decrease odrefresh compilation timeout, no avc denied Change-Id: I7dec0a3d82c82b5dea4b5f3f38d9170bb1f40840 (cherry picked from commit 86477d7933de19848fe190f0f8b188a47ef336ad) --- prebuilts/api/31.0/private/odrefresh.te | 6 ++++++ private/odrefresh.te | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/prebuilts/api/31.0/private/odrefresh.te b/prebuilts/api/31.0/private/odrefresh.te index 7a642475c..3db1ae8c2 100644 --- a/prebuilts/api/31.0/private/odrefresh.te +++ b/prebuilts/api/31.0/private/odrefresh.te @@ -21,9 +21,15 @@ allow odrefresh apex_art_staging_data_file:file create_file_perms; # Run dex2oat in its own sandbox. domain_auto_trans(odrefresh, dex2oat_exec, dex2oat) +# Allow odrefresh to kill dex2oat if compilation times out. +allow odrefresh dex2oat:process sigkill; + # Run dexoptanalyzer in its own sandbox. domain_auto_trans(odrefresh, dexoptanalyzer_exec, dexoptanalyzer) +# Allow odrefresh to kill dexoptanalyzer if analysis times out. +allow odrefresh dexoptanalyzer:process sigkill; + # Use devpts and fd from odsign (which exec()'s odrefresh) allow odrefresh odsign_devpts:chr_file { read write }; allow odrefresh odsign:fd use; diff --git a/private/odrefresh.te b/private/odrefresh.te index 7a642475c..3db1ae8c2 100644 --- a/private/odrefresh.te +++ b/private/odrefresh.te @@ -21,9 +21,15 @@ allow odrefresh apex_art_staging_data_file:file create_file_perms; # Run dex2oat in its own sandbox. domain_auto_trans(odrefresh, dex2oat_exec, dex2oat) +# Allow odrefresh to kill dex2oat if compilation times out. +allow odrefresh dex2oat:process sigkill; + # Run dexoptanalyzer in its own sandbox. domain_auto_trans(odrefresh, dexoptanalyzer_exec, dexoptanalyzer) +# Allow odrefresh to kill dexoptanalyzer if analysis times out. +allow odrefresh dexoptanalyzer:process sigkill; + # Use devpts and fd from odsign (which exec()'s odrefresh) allow odrefresh odsign_devpts:chr_file { read write }; allow odrefresh odsign:fd use;