Allow otapreopt_chroot
to use a flattened Runtime APEX package.
- Allow (again) `otapreopt` (running as `postinstall_dexopt`) to execute `dex2oat` from `/postinstall` -- this is for the case where it is located in a flattened Runtime APEX in `/postinstall/system/apex`. - Allow `dex2oat` to read directories under `/postinstall`. - Allow `otapreopt_chroot` to unmount flattened APEX packages under `/postinstall/system/apex` (which are bind-mounted in `/postinstall/apex`). Test: A/B OTA update test (asit/dexoptota/self_full). Bug: 127543974 Bug: 123684826 Bug: 113373927 Change-Id: Ie023ee5c64989ea071e1683f31073a70c93cac18
This commit is contained in:
parent
87b6d4018d
commit
66f40a8b2d
3 changed files with 10 additions and 3 deletions
|
@ -42,11 +42,10 @@ allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock
|
||||||
# Allow dex2oat to use file descriptors from otapreopt.
|
# Allow dex2oat to use file descriptors from otapreopt.
|
||||||
allow dex2oat postinstall_dexopt:fd use;
|
allow dex2oat postinstall_dexopt:fd use;
|
||||||
|
|
||||||
allow dex2oat postinstall_file:dir { getattr search };
|
# Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker).
|
||||||
|
allow dex2oat postinstall_file:dir r_dir_perms;
|
||||||
allow dex2oat postinstall_file:filesystem getattr;
|
allow dex2oat postinstall_file:filesystem getattr;
|
||||||
allow dex2oat postinstall_file:lnk_file { getattr read };
|
allow dex2oat postinstall_file:lnk_file { getattr read };
|
||||||
|
|
||||||
# Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker).
|
|
||||||
allow dex2oat postinstall_file:file read;
|
allow dex2oat postinstall_file:file read;
|
||||||
# Allow dex2oat to use libraries under /postinstall/system (e.g. /system/lib/libc.so).
|
# Allow dex2oat to use libraries under /postinstall/system (e.g. /system/lib/libc.so).
|
||||||
# TODO(b/120266448): Remove when Bionic libraries are part of the Runtime APEX.
|
# TODO(b/120266448): Remove when Bionic libraries are part of the Runtime APEX.
|
||||||
|
|
|
@ -11,6 +11,9 @@ allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot }
|
||||||
# APEX packages in /postinstall/apex.
|
# APEX packages in /postinstall/apex.
|
||||||
allow otapreopt_chroot block_device:dir search;
|
allow otapreopt_chroot block_device:dir search;
|
||||||
allow otapreopt_chroot labeledfs:filesystem { mount unmount };
|
allow otapreopt_chroot labeledfs:filesystem { mount unmount };
|
||||||
|
# This is required to unmount flattened APEX packages under
|
||||||
|
# /postinstall/system/apex (which are bind-mounted in /postinstall/apex).
|
||||||
|
allow otapreopt_chroot postinstall_file:filesystem unmount;
|
||||||
# Mounting /vendor can have this side-effect. Ignore denial.
|
# Mounting /vendor can have this side-effect. Ignore denial.
|
||||||
dontaudit otapreopt_chroot kernel:process setsched;
|
dontaudit otapreopt_chroot kernel:process setsched;
|
||||||
|
|
||||||
|
|
|
@ -7,7 +7,12 @@ type postinstall_dexopt, domain, coredomain;
|
||||||
|
|
||||||
# Run dex2oat/patchoat in its own sandbox.
|
# Run dex2oat/patchoat in its own sandbox.
|
||||||
# We have to manually transition, as we don't have an entrypoint.
|
# We have to manually transition, as we don't have an entrypoint.
|
||||||
|
# - Case where dex2oat is in a non-flattened APEX, which has retained
|
||||||
|
# the correct type (`dex2oat_exec`).
|
||||||
domain_auto_trans(postinstall_dexopt, dex2oat_exec, dex2oat)
|
domain_auto_trans(postinstall_dexopt, dex2oat_exec, dex2oat)
|
||||||
|
# - Case where dex2oat is in a flattened APEX, which has been tagged
|
||||||
|
# with the `postinstall_file` type by update_engine.
|
||||||
|
domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
|
||||||
|
|
||||||
allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
|
allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue