Sepolicy: allow otapreopt_chroot to mount vendor
(cherry picked from commit ec4b9d6705
)
Vendor apps are usually not preopted, so A/B dexopt should pick
them up. update_engine is not mounting the vendor partition, so
let otapreopt_chroot do the work.
This change gives otapreopt_chroot permission to mount /vendor
into the chroot environment.
Bug: 25612095
Bug: 29498238
Change-Id: I5a77bdb78a8e478ce10f6c1d0f911a8d6686becb
This commit is contained in:
parent
b4b78c18a9
commit
c9ce12bae6
2 changed files with 5 additions and 1 deletions
|
@ -278,7 +278,7 @@ neverallow { domain -init -ueventd } device:chr_file { open read write };
|
||||||
# Limit what domains can mount filesystems or change their mount flags.
|
# Limit what domains can mount filesystems or change their mount flags.
|
||||||
# sdcard_type / vfat is exempt as a larger set of domains need
|
# sdcard_type / vfat is exempt as a larger set of domains need
|
||||||
# this capability, including device-specific domains.
|
# this capability, including device-specific domains.
|
||||||
neverallow { domain -kernel -init -recovery -vold -zygote -update_engine } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
|
neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
|
||||||
|
|
||||||
#
|
#
|
||||||
# Assert that, to the extent possible, we're not loading executable content from
|
# Assert that, to the extent possible, we're not loading executable content from
|
||||||
|
|
|
@ -7,6 +7,10 @@ type otapreopt_chroot_exec, exec_type, file_type;
|
||||||
allow otapreopt_chroot postinstall_file:dir { search mounton };
|
allow otapreopt_chroot postinstall_file:dir { search mounton };
|
||||||
allow otapreopt_chroot self:capability { sys_admin sys_chroot };
|
allow otapreopt_chroot self:capability { sys_admin sys_chroot };
|
||||||
|
|
||||||
|
# This is required to mount /vendor.
|
||||||
|
allow otapreopt_chroot block_device:dir search;
|
||||||
|
allow otapreopt_chroot labeledfs:filesystem mount;
|
||||||
|
|
||||||
# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
|
# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
|
||||||
domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
|
domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue