Merge "Add support for invoking derive_classpath from otadexopt" am: 59e8007be0

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1687094

Change-Id: I1a763ec4c6e9d9457b72ad5b0ef090b3629e75e1
This commit is contained in:
Treehugger Robot 2021-04-28 19:34:16 +00:00 committed by Automerger Merge Worker
commit 85647c642b
2 changed files with 17 additions and 0 deletions

View file

@ -13,3 +13,13 @@ allow derive_classpath environ_system_data_file:file create_file_perms;
# b/183079517 fails on gphone targets otherwise # b/183079517 fails on gphone targets otherwise
allow derive_classpath unlabeled:dir search; allow derive_classpath unlabeled:dir search;
# Allow derive_classpath to write the classpath into ota dexopt
# - Read the ota's apex dir
allow derive_classpath postinstall_apex_mnt_dir:dir r_dir_perms;
# - Report the BCP to the ota's dexopt
allow derive_classpath postinstall_dexopt:dir search;
allow derive_classpath postinstall_dexopt:fd use;
allow derive_classpath postinstall_dexopt:file read;
allow derive_classpath postinstall_dexopt:lnk_file read;
allow derive_classpath postinstall_dexopt_tmpfs:file rw_file_perms;

View file

@ -5,6 +5,7 @@
type postinstall_dexopt, domain, coredomain, mlstrustedsubject; type postinstall_dexopt, domain, coredomain, mlstrustedsubject;
type postinstall_dexopt_exec, system_file_type, exec_type, file_type; type postinstall_dexopt_exec, system_file_type, exec_type, file_type;
type postinstall_dexopt_tmpfs, file_type;
# Run dex2oat/patchoat in its own sandbox. # Run dex2oat/patchoat in its own sandbox.
# We have to manually transition, as we don't have an entrypoint. # We have to manually transition, as we don't have an entrypoint.
@ -15,6 +16,12 @@ domain_auto_trans(postinstall_dexopt, dex2oat_exec, dex2oat)
# with the `postinstall_file` type by update_engine. # with the `postinstall_file` type by update_engine.
domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat) domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
# Run derive_classpath to get the current BCP.
domain_auto_trans(postinstall_dexopt, derive_classpath_exec, derive_classpath)
# Allow postinstall_dexopt to make a tempfile for derive_classpath to write into
tmpfs_domain(postinstall_dexopt);
allow postinstall_dexopt postinstall_dexopt_tmpfs:file open;
allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid }; allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
allow postinstall_dexopt postinstall_file:filesystem getattr; allow postinstall_dexopt postinstall_file:filesystem getattr;