Allow otapreopt_chroot to use a flattened Runtime APEX package.

- Allow (again) `otapreopt` (running as `postinstall_dexopt`) to
  execute `dex2oat` from `/postinstall` -- this is for the case where
  it is located in a flattened Runtime APEX in
  `/postinstall/system/apex`.
- Allow `dex2oat` to read directories under `/postinstall`.
- Allow `otapreopt_chroot` to unmount flattened APEX packages under
  `/postinstall/system/apex` (which are bind-mounted in
  `/postinstall/apex`).

Test: A/B OTA update test (asit/dexoptota/self_full).
Bug: 127543974
Bug: 123684826
Bug: 113373927
Change-Id: Ie023ee5c64989ea071e1683f31073a70c93cac18
This commit is contained in:
Roland Levillain 2019-03-13 18:52:23 +00:00
parent 87b6d4018d
commit 66f40a8b2d
3 changed files with 10 additions and 3 deletions

View file

@ -42,11 +42,10 @@ allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock
# Allow dex2oat to use file descriptors from otapreopt. # Allow dex2oat to use file descriptors from otapreopt.
allow dex2oat postinstall_dexopt:fd use; allow dex2oat postinstall_dexopt:fd use;
allow dex2oat postinstall_file:dir { getattr search }; # Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker).
allow dex2oat postinstall_file:dir r_dir_perms;
allow dex2oat postinstall_file:filesystem getattr; allow dex2oat postinstall_file:filesystem getattr;
allow dex2oat postinstall_file:lnk_file { getattr read }; allow dex2oat postinstall_file:lnk_file { getattr read };
# Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker).
allow dex2oat postinstall_file:file read; allow dex2oat postinstall_file:file read;
# Allow dex2oat to use libraries under /postinstall/system (e.g. /system/lib/libc.so). # Allow dex2oat to use libraries under /postinstall/system (e.g. /system/lib/libc.so).
# TODO(b/120266448): Remove when Bionic libraries are part of the Runtime APEX. # TODO(b/120266448): Remove when Bionic libraries are part of the Runtime APEX.

View file

@ -11,6 +11,9 @@ allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot }
# APEX packages in /postinstall/apex. # APEX packages in /postinstall/apex.
allow otapreopt_chroot block_device:dir search; allow otapreopt_chroot block_device:dir search;
allow otapreopt_chroot labeledfs:filesystem { mount unmount }; allow otapreopt_chroot labeledfs:filesystem { mount unmount };
# This is required to unmount flattened APEX packages under
# /postinstall/system/apex (which are bind-mounted in /postinstall/apex).
allow otapreopt_chroot postinstall_file:filesystem unmount;
# Mounting /vendor can have this side-effect. Ignore denial. # Mounting /vendor can have this side-effect. Ignore denial.
dontaudit otapreopt_chroot kernel:process setsched; dontaudit otapreopt_chroot kernel:process setsched;

View file

@ -7,7 +7,12 @@ type postinstall_dexopt, domain, coredomain;
# Run dex2oat/patchoat in its own sandbox. # Run dex2oat/patchoat in its own sandbox.
# We have to manually transition, as we don't have an entrypoint. # We have to manually transition, as we don't have an entrypoint.
# - Case where dex2oat is in a non-flattened APEX, which has retained
# the correct type (`dex2oat_exec`).
domain_auto_trans(postinstall_dexopt, dex2oat_exec, dex2oat) domain_auto_trans(postinstall_dexopt, dex2oat_exec, dex2oat)
# - Case where dex2oat is in a flattened APEX, which has been tagged
# with the `postinstall_file` type by update_engine.
domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid }; allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };