Sepolicy: Add base runtime APEX preinstall policies

Add art_apex_preinstall domain that is allowed to create AoT
artifacts in /data/ota.

Bug: 125474642
Test: m
Change-Id: Ia091d8df34c4be4f84c2052d3c333a0e36bcb036

apex/com.android.runtime.debug-file_contexts

@@ -1,10 +1,11 @@
 #############################
 # System files
 #
-(/.*)?                   u:object_r:system_file:s0
-/bin/dex2oat(d)?         u:object_r:dex2oat_exec:s0
-/bin/dexoptanalyzer(d)?  u:object_r:dexoptanalyzer_exec:s0
-/bin/profman(d)?         u:object_r:profman_exec:s0
-/bin/linker(64)?         u:object_r:system_linker_exec:s0
-/lib(64)?(/.*)?          u:object_r:system_lib_file:s0
-/etc/tz(/.*)?            u:object_r:system_zoneinfo_file:s0
+(/.*)?                        u:object_r:system_file:s0
+/bin/dex2oat(d)?              u:object_r:dex2oat_exec:s0
+/bin/dexoptanalyzer(d)?       u:object_r:dexoptanalyzer_exec:s0
+/bin/profman(d)?              u:object_r:profman_exec:s0
+/bin/linker(64)?              u:object_r:system_linker_exec:s0
+/lib(64)?(/.*)?               u:object_r:system_lib_file:s0
+/etc/tz(/.*)?                 u:object_r:system_zoneinfo_file:s0
+/bin/art_preinstall_hook(.*)? u:object_r:art_apex_preinstall_exec:s0

private/apexd.te

@@ -76,6 +76,10 @@ dontaudit apexd self:global_capability_class_set { dac_override dac_read_search
 # Allow apexd to log to the kernel.
 allow apexd kmsg_device:chr_file w_file_perms;
 
+# Allow apexd to reboot device. Required for rollbacks of apexes that are
+# not covered by rollback manager.
+set_prop(apexd, powerctl_prop)
+
 # Apex pre- & post-install permission.
 
 # Allow self-execute for the fork mount helper.
@@ -89,9 +93,8 @@ allow apexd rootfs:dir mounton;
 # rule is required, thus restricted to execute and not execute_no_trans.
 allow apexd shell_exec:file { r_file_perms execute };
 
-# Allow apexd to reboot device. Required for rollbacks of apexes that are
-# not covered by rollback manager.
-set_prop(apexd, powerctl_prop)
+# Allow transition to ART APEX preinstall domain.
+domain_auto_trans(apexd, art_apex_preinstall_exec, art_apex_preinstall)
 
 # Allow transition to test APEX preinstall domain.
 userdebug_or_eng(`

private/art_apex_preinstall.te

@@ -0,0 +1,26 @@
+# ART APEX preinstall.
+#
+
+type art_apex_preinstall, domain, coredomain;
+type art_apex_preinstall_exec, system_file_type, exec_type, file_type;
+
+# /dev/zero
+allow art_apex_preinstall apexd:fd use;
+
+# Create temp dirs and files under /data/ota.
+allow art_apex_preinstall ota_data_file:dir create_dir_perms;
+allow art_apex_preinstall ota_data_file:file create_file_perms;
+# We mount /data/ota/dalvik-cache over /data/dalvik-cache in our
+# mount namespace.
+allow art_apex_preinstall dalvikcache_data_file:dir { r_dir_perms mounton };
+allow art_apex_preinstall self:capability sys_admin;
+
+# Script helpers.
+allow art_apex_preinstall shell_exec:file rx_file_perms;
+allow art_apex_preinstall toolbox_exec:file rx_file_perms;
+
+# Execute subscripts in the same domain.
+allow art_apex_preinstall art_apex_preinstall_exec:file execute_no_trans;
+
+# Run dex2oat.
+domain_auto_trans(art_apex_preinstall, dex2oat_exec, dex2oat)

private/dex2oat.te

@@ -68,6 +68,16 @@ allow dex2oat ota_data_file:lnk_file { create read };
 # create them itself (and make them world-readable).
 allow dex2oat ota_data_file:file { create w_file_perms setattr };
 
+###############
+# APEX Update #
+###############
+
+# /dev/zero is inherited.
+allow dex2oat apexd:fd use;
+
+# Allow dex2oat to use file descriptors from preinstall.
+allow dex2oat art_apex_preinstall:fd use;
+
 ##############
 # Neverallow #
 ##############