Andreas Gampe
47ebae1a7a
Selinux: introduce policy for OTA preopt
...
Add permissions to dex2oat, introduce otapreopt binary and otadexopt
service.
Bug: 25612095
Change-Id: I80fcba2785e80b2931d7d82bb07474f6cd0099f7
2016-02-04 16:58:43 -08:00
Calin Juravle
de41b3d900
Allow dex2oat to acess profile files
...
Bug: 26080105
Change-Id: I8075d093bb5adc3d856033be3b3aaa38254e8071
2016-01-14 16:43:34 -08:00
Jeff Vander Stoep
d22987b4da
Create attribute for moving perms out of domain
...
Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.
Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
2015-11-03 23:11:11 +00:00
Fyodor Kupolov
b87a4b16d2
Support for storing OAT files in app directory
...
oat dir inside apk_tmp_file should be labeled as dalvikcache_data_file.
Bug: 19550105
Change-Id: Ie928b5f47bfc42167bf86fdf10d6913ef25d145d
2015-04-02 14:32:43 -07:00
Nick Kralevich
adbabeebb2
Allow dex2oat to work on /oem APKs
...
Dex2oat needs the ability to read from already open file descriptors
in /oem so that apps from that location can be installed. Allow it.
Addresses the following denials:
avc: denied { read } for comm="dex2oat" path="/oem/app/TabletInfo.apk" dev="mmcblk0p12" ino=20 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
avc: denied { read } for comm="dex2oat" path="/oem/app/AskMe_android_one.apk" dev="mmcblk0p12" ino=14 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
avc: denied { read } for comm="dex2oat" path="/oem/app/PartnerRegulatoryInfo.apk" dev="mmcblk0p12" ino=19 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
avc: denied { read } for comm="dex2oat" path="/oem/app/PartnerLauncherProvider.apk" dev="mmcblk0p12" ino=18 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
avc: denied { read } for comm="dex2oat" path="/oem/app/Amazon_Mobile_com.apk" dev="mmcblk0p12" ino=13 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
avc: denied { read } for comm="dex2oat" path="/oem/app/PartnerBookmarksProvider.apk" dev="mmcblk0p12" ino=17 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
avc: denied { read } for comm="dex2oat" path="/oem/app/Hike.apk" dev="mmcblk0p12" ino=15 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
avc: denied { read } for comm="dex2oat" path="/oem/app/MiLive_embedded_IndiaGames_version4.0_android1.apk" dev="mmcblk0p12" ino=16 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
Bug: 18539205
Change-Id: I92bd91c66befc5a1060dd189324b2c046bba0258
2014-11-26 11:46:06 -08:00
Igor Murashkin
f7ccfd003c
zygote/dex2oat: Grant additional symlink permissions
...
* zygote needs to be able to symlink from dalvik cache to system
to avoid having to copy boot.oat
(when the boot.oat file was built with --compile-pic)
* dex2oat needs to be able to read the symlink in the dalvik cache
(the one that zygote creates)
(cherry-picked from AOSP master
83c5612e69
)
Bug: 18035729
Change-Id: Ie1acad81a0fd8b2f24e1f3f07a06e6fdb548be62
2014-10-31 10:21:48 -07:00
Nick Kralevich
e4aa75db61
dex2oat: fix forward-locked upgrades with unlabeled asecs
...
dex2oat fails when upgrading unlabeled asec containers.
Steps to reproduce:
1) Install a forward locked app on Android 4.1
adb install -l foo.apk
2) Upgrade to tip-of-tree
Addresses the following denial:
<4>[ 379.886665] type=1400 audit(1405549869.210:4): avc: denied { read } for pid=2389 comm="dex2oat" path="/mnt/asec/jackpal.androidterm-1/pkg.apk" dev=dm-0 ino=12 scontext=u:r:dex2oat:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
(cherry picked from commit 270be6e86a
)
Change-Id: I58dc6ebe61a5b5840434077a55f1afbeed602137
2014-07-16 16:04:40 -07:00
Nick Kralevich
94b2ba9463
dex2oat: fix forward locked apps
...
dex2oat can't access file descriptors associated with asec_apk_files.
This breaks installing forward locked apps, and generates the following
denial:
type=1400 audit(0.0:18): avc: denied { read } for path="/mnt/asec/com.example.android.simplejni-1/pkg.apk" dev="dm-0" ino=12 scontext=u:r:dex2oat:s0 tcontext=u:object_r:asec_apk_file:s0 tclass=file
Steps to reproduce:
$ adb install -r -l SimpleJNI.apk
Expected:
app installs
Actual:
app fails to install.
Bug: 16328233
(cherry picked from commit 5259c5e616
)
Change-Id: I1969b9ae8d2187f4860587f7ff42d16139657b5b
2014-07-16 09:53:40 -07:00
Ed Heyl
8ee37b4f1c
reconcile aosp ( c103da877b
) after branching. Please do not merge.
...
Change-Id: Ic9dde806a30d3e7b9c4a066f247a9207fe9b94b4
2014-07-14 23:32:08 -07:00