From 99902a175b62d242a40ab7957b284f667a03b424 Mon Sep 17 00:00:00 2001 From: Jiyong Park Date: Mon, 13 May 2019 12:54:39 +0900 Subject: [PATCH] Don't use apexd when TARGET_FLATTEN_APEX == true /system/apex/com.android.runtime is labeled as runtime_apex_dir and init is allowed to mount on it. When TARGET_FLATTEN_APEX is true (= ro.apex.updatable is unset or set to false), apexd is not used to activate the built-in flattened APEXes. Init simply bind-mounts /system/apex to /apex. However, there is a special case here. The runtime APEX is installed as either /system/apex/com.android.runtime.debug or /system/apex/com.android.runtime.release, whereas it should be activated on /apex/com.android.runtime - without the .debug or .release suffix. To handle that case, the build system creates an empty directory /system/apex/com.android.runtime and the .debug or .release directory is bind-mounted to the empty directory by init at runtime. Bug: 132413565 Test: marlin is bootable Change-Id: I3fde5ff831429723fecd1fa5c10e44f636a63f09 --- private/compat/26.0/26.0.ignore.cil | 1 + private/compat/27.0/27.0.ignore.cil | 1 + private/compat/28.0/28.0.ignore.cil | 1 + private/file_contexts | 1 + public/file.te | 2 ++ public/init.te | 3 +++ 6 files changed, 9 insertions(+) diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil index 3c6ba08b2..293d97d24 100644 --- a/private/compat/26.0/26.0.ignore.cil +++ b/private/compat/26.0/26.0.ignore.cil @@ -136,6 +136,7 @@ recovery_socket role_service runas_app + runtime_apex_dir runtime_service secure_element secure_element_device diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil index 3b9bd52e0..fbc241ae8 100644 --- a/private/compat/27.0/27.0.ignore.cil +++ b/private/compat/27.0/27.0.ignore.cil @@ -123,6 +123,7 @@ recovery_socket role_service runas_app + runtime_apex_dir runtime_service secure_element secure_element_device diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil index d01bfe252..3b6d2c185 100644 --- a/private/compat/28.0/28.0.ignore.cil +++ b/private/compat/28.0/28.0.ignore.cil @@ -114,6 +114,7 @@ rss_hwm_reset_exec runas_app runas_app_tmpfs + runtime_apex_dir runtime_service sdcard_block_device sensor_privacy_service diff --git a/private/file_contexts b/private/file_contexts index c2f9e152d..dfeeb8a95 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -179,6 +179,7 @@ # System files # /system(/.*)? u:object_r:system_file:s0 +/system/apex/com.android.runtime u:object_r:runtime_apex_dir:s0 /system/lib(64)?(/.*)? u:object_r:system_lib_file:s0 /system/lib(64)?/bootstrap(/.*)? u:object_r:system_bootstrap_lib_file:s0 /system/bin/atrace u:object_r:atrace_exec:s0 diff --git a/public/file.te b/public/file.te index 53811e01f..c78ddd5b9 100644 --- a/public/file.te +++ b/public/file.te @@ -172,6 +172,8 @@ type vendor_cgroup_desc_file, vendor_file_type, file_type; type task_profiles_file, system_file_type, file_type; # Vendor task profiles file under /vendor/etc/task_profiles.json type vendor_task_profiles_file, vendor_file_type, file_type; +# Type for /system/apex/com.android.runtime +type runtime_apex_dir, system_file_type, file_type; # Default type for directories search for # HAL implementations diff --git a/public/init.te b/public/init.te index 5ceef721a..0536b73ed 100644 --- a/public/init.te +++ b/public/init.te @@ -92,6 +92,9 @@ allow init device:dir mounton; # Mount tmpfs on /apex allow init apex_mnt_dir:dir mounton; +# Bind-mount on /system/apex/com.android.runtime +allow init runtime_apex_dir:dir mounton; + # Create and remove symlinks in /. allow init rootfs:lnk_file { create unlink };