Merge changes from topics "runtime-apex-otapreopt_chroot-tear-down", "runtime-apex-installd-support", "runtime-apex-otapreopt_chroot-support"
* changes: Allow `oatpreopt_chroot` to deactivate APEX packages in `/postinstall/apex`. Allow `oatpreopt` to run `dex2oat` from the Runtime APEX. Allow `otapreopt_chroot` to mount APEX packages using `apexd` logic.
This commit is contained in:
Roland Levillain
Gerrit Code Review
commit
c5ec14ba9a
6 changed files with 57 additions and 1 deletions
|
|
@ -2,3 +2,33 @@ typeattribute otapreopt_chroot coredomain;
|
|||
|
||||
# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
|
||||
domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
|
||||
|
||||
# Allow otapreopt_chroot to create loop devices with /dev/loop-control.
|
||||
allow otapreopt_chroot loop_control_device:chr_file rw_file_perms;
|
||||
# Allow otapreopt_chroot to access loop devices.
|
||||
allow otapreopt_chroot loop_device:blk_file rw_file_perms;
|
||||
allowxperm otapreopt_chroot loop_device:blk_file ioctl {
|
||||
LOOP_GET_STATUS64
|
||||
LOOP_SET_STATUS64
|
||||
LOOP_SET_FD
|
||||
LOOP_SET_BLOCK_SIZE
|
||||
LOOP_SET_DIRECT_IO
|
||||
LOOP_CLR_FD
|
||||
BLKFLSBUF
|
||||
};
|
||||
|
||||
# Allow otapreopt_chroot to configure read-ahead of loop devices.
|
||||
allow otapreopt_chroot sysfs_loop:dir r_dir_perms;
|
||||
allow otapreopt_chroot sysfs_loop:file rw_file_perms;
|
||||
|
||||
# Allow otapreopt_chroot to mount a tmpfs filesystem in /postinstall/apex.
|
||||
allow otapreopt_chroot tmpfs:filesystem mount;
|
||||
# Allow otapreopt_chroot to manipulate the tmpfs filesystem mounted in /postinstall/apex.
|
||||
allow otapreopt_chroot tmpfs:dir create_dir_perms;
|
||||
# Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
|
||||
allow otapreopt_chroot tmpfs:dir mounton;
|
||||
|
||||
# Allow otapreopt_chroot to unmount APEX packages (ext4 images) mounted in /postinstall/apex.
|
||||
allow otapreopt_chroot labeledfs:filesystem unmount;
|
||||
# Allow otapreopt_chroot to access /dev/block.
|
||||
allow otapreopt_chroot block_device:dir r_dir_perms;
|
||||
|
|
|
|||
|
|
@ -2,4 +2,4 @@ typeattribute postinstall_dexopt coredomain;
|
|||
|
||||
# Run dex2oat/patchoat in its own sandbox.
|
||||
# We have to manually transition, as we don't have an entrypoint.
|
||||
domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
|
||||
domain_auto_trans(postinstall_dexopt, dex2oat_exec, dex2oat)
|
||||
|
|
|
|||
|
|
@ -46,6 +46,15 @@ allow dex2oat postinstall_file:dir { getattr search };
|
|||
allow dex2oat postinstall_file:filesystem getattr;
|
||||
allow dex2oat postinstall_file:lnk_file { getattr read };
|
||||
|
||||
# Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker).
|
||||
allow dex2oat postinstall_file:file read;
|
||||
# Allow dex2oat to use libraries under /postinstall/system (e.g. /system/lib/libc.so).
|
||||
# TODO(b/120266448): Remove when Bionic libraries are part of the Runtime APEX.
|
||||
allow dex2oat postinstall_file:file { execute getattr open };
|
||||
|
||||
# Allow dex2oat access to /postinstall/apex.
|
||||
allow dex2oat tmpfs:dir search;
|
||||
|
||||
# Allow dex2oat access to files in /data/ota.
|
||||
allow dex2oat ota_data_file:dir ra_dir_perms;
|
||||
allow dex2oat ota_data_file:file r_file_perms;
|
||||
|
|
|
|||
|
|
@ -88,6 +88,12 @@ allow kernel apexd:fd use;
|
|||
allow kernel apex_data_file:file read;
|
||||
allow kernel staging_data_file:file read;
|
||||
|
||||
# Likewise, allow the kernel to read otapreopt_chroot's file descriptors and
|
||||
# files under /postinstall, as it uses apexd logic to mount APEX packages in
|
||||
# /postinstall/apex.
|
||||
allow kernel otapreopt_chroot:fd use;
|
||||
allow kernel postinstall_file:file read;
|
||||
|
||||
# Allow the first-stage init (which is running in the kernel domain) to execute the
|
||||
# dynamic linker when it re-executes /init to switch into the second stage.
|
||||
# Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed
|
||||
|
|
|
|||
|
|
@ -13,6 +13,14 @@ allow otapreopt_chroot labeledfs:filesystem mount;
|
|||
# Mounting /vendor can have this side-effect. Ignore denial.
|
||||
dontaudit otapreopt_chroot kernel:process setsched;
|
||||
|
||||
# Allow otapreopt_chroot to read SELinux policy files.
|
||||
allow otapreopt_chroot file_contexts_file:file r_file_perms;
|
||||
|
||||
# Allow otapreopt_chroot to open and read the contents of /postinstall/system/apex.
|
||||
allow otapreopt_chroot postinstall_file:dir r_dir_perms;
|
||||
# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property.
|
||||
get_prop(otapreopt_chroot, apexd_prop)
|
||||
|
||||
# Allow otapreopt to use file descriptors from update-engine. It will
|
||||
# close them immediately.
|
||||
allow otapreopt_chroot postinstall:fd use;
|
||||
|
|
|
|||
|
|
@ -13,6 +13,9 @@ allow postinstall_dexopt postinstall_file:lnk_file { getattr read };
|
|||
allow postinstall_dexopt proc_filesystems:file { getattr open read };
|
||||
allow postinstall_dexopt tmpfs:file read;
|
||||
|
||||
# Read data from /postinstall/apex.
|
||||
allow postinstall_dexopt tmpfs:dir { read search };
|
||||
|
||||
# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
|
||||
# here and having to relabel the directory.
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue