platform_system_sepolicy/public/otapreopt_chroot.te

# otapreopt_chroot executable
type otapreopt_chroot, domain;
type otapreopt_chroot_exec, exec_type, file_type;

# Chroot preparation and execution.
# We need to create an unshared mount namespace, and then mount /data.
allow otapreopt_chroot postinstall_file:dir { search mounton };
allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };

# This is required to mount /vendor.
allow otapreopt_chroot block_device:dir search;
allow otapreopt_chroot labeledfs:filesystem mount;
# Mounting /vendor can have this side-effect. Ignore denial.
dontaudit otapreopt_chroot kernel:process setsched;

# Allow otapreopt to use file descriptors from update-engine. It will
# close them immediately.
allow otapreopt_chroot postinstall:fd use;
allow otapreopt_chroot update_engine:fd use;
allow otapreopt_chroot update_engine:fifo_file write;
Selinux: Policies for otapreopt_chroot and postinstall_dexopt Give mount & chroot permissions to otapreopt_chroot related to postinstall. Add postinstall_dexopt for otapreopt in the B partition. Allow the things installd can do for dexopt. Give a few more rights to dex2oat for postinstall files. Allow postinstall files to call the system server. Bug: 25612095 Change-Id: If7407473d50c9414668ff6ef869c2aadd14264e7 2016-03-30 00:08:20 +02:00			`# otapreopt_chroot executable`
			`type otapreopt_chroot, domain;`
			`type otapreopt_chroot_exec, exec_type, file_type;`

			`# Chroot preparation and execution.`
			`# We need to create an unshared mount namespace, and then mount /data.`
			`allow otapreopt_chroot postinstall_file:dir { search mounton };`
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f 2017-11-09 23:51:26 +01:00			`allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };`
Selinux: Policies for otapreopt_chroot and postinstall_dexopt Give mount & chroot permissions to otapreopt_chroot related to postinstall. Add postinstall_dexopt for otapreopt in the B partition. Allow the things installd can do for dexopt. Give a few more rights to dex2oat for postinstall files. Allow postinstall files to call the system server. Bug: 25612095 Change-Id: If7407473d50c9414668ff6ef869c2aadd14264e7 2016-03-30 00:08:20 +02:00
Sepolicy: allow otapreopt_chroot to mount vendor (cherry picked from commit ec4b9d67057a9999ef0244873ecf2183f67f59bb) Vendor apps are usually not preopted, so A/B dexopt should pick them up. update_engine is not mounting the vendor partition, so let otapreopt_chroot do the work. This change gives otapreopt_chroot permission to mount /vendor into the chroot environment. Bug: 25612095 Bug: 29498238 Change-Id: I5a77bdb78a8e478ce10f6c1d0f911a8d6686becb 2016-07-12 18:48:52 +02:00			`# This is required to mount /vendor.`
			`allow otapreopt_chroot block_device:dir search;`
			`allow otapreopt_chroot labeledfs:filesystem mount;`
Sepolicy: Ignore otapreopt_chroot setsched denial Ignore, as it's a side effect of mounting /vendor. Bug: 31116514 Change-Id: If94a27a26181e40de5c5e60f5446de9ce2ccdba0 (cherry picked from commit 0f81e06630a3093b44483e54761a3505f5dc25c4) 2016-10-06 01:19:39 +02:00			`# Mounting /vendor can have this side-effect. Ignore denial.`
			`dontaudit otapreopt_chroot kernel:process setsched;`
Sepolicy: allow otapreopt_chroot to mount vendor (cherry picked from commit ec4b9d67057a9999ef0244873ecf2183f67f59bb) Vendor apps are usually not preopted, so A/B dexopt should pick them up. update_engine is not mounting the vendor partition, so let otapreopt_chroot do the work. This change gives otapreopt_chroot permission to mount /vendor into the chroot environment. Bug: 25612095 Bug: 29498238 Change-Id: I5a77bdb78a8e478ce10f6c1d0f911a8d6686becb 2016-07-12 18:48:52 +02:00
Sepolicy: Adapt for new A/B OTA flow (cherry picked from commit d47c1e93ae8dbec88327cf96a4b8d788994dedf0) To include target slot names in the naming of A/B OTA artifacts, and new path has been implemented. Instead of passing through the system server and forking off of installd, otapreopt_chroot is now driven directly from the otapreopt script. Change the selinux policy accordingly: allow a transition from postinstall to otapreopt_chroot, and let otapreopt_chroot inherit the file descriptors that update_engine had opened (it will close them immediately, do not give rights to the downstream executables otapreopt and dex2oat). Bug: 25612095 Bug: 28069686 Change-Id: I6b476183572c85e75eda4d52f60e4eb5d8f48dbb 2016-07-09 03:31:10 +02:00			`# Allow otapreopt to use file descriptors from update-engine. It will`
			`# close them immediately.`
			`allow otapreopt_chroot postinstall:fd use;`
			`allow otapreopt_chroot update_engine:fd use;`
			`allow otapreopt_chroot update_engine:fifo_file write;`