tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public/otapreopt_chroot.te
Roland Levillain 0a6c2d013a Allow otapreopt_chroot to mount APEX packages using apexd logic. 
Allow `otapreopt_chroot` to:
- read SELinux policy files;
- open and read the contents of `/postinstall/system/apex`;
- read the `persist.apexd.verity_on_system` system property;
- create loop devices with `/dev/loop-control`;
- access loop devices;
- configure read-ahead of loop devices;
- mount a tmpfs filesystem in `/postinstall/apex`;
- manipulate the tmpfs filesystem mounted in `/postinstall/apex`;
- mount APEX packages in `/postinstall/apex`.

Allow the kernel to:
- read `otapreopt_chroot`'s file descriptors;
- read files under `/postinstall`.

Allow `otapreopt` (running as "postinstall_dexopt") to:
- read data from `/postinstall/apex`.

Allow `dex2oat` to:
- access `/postinstall/apex`.

Test: A/B OTA update test (asit/dexoptota/self_full).
Bug: 113373927
Bug: 120796514
Change-Id: I204df92611dc710fdc97b22cd67d088ffd991210
2019-01-17 21:42:46 +00:00

28 lines
1.2 KiB
Text
Raw Blame History

# otapreopt_chroot executable
type otapreopt_chroot, domain;
type otapreopt_chroot_exec, system_file_type, exec_type, file_type;
# Chroot preparation and execution.
# We need to create an unshared mount namespace, and then mount /data.
allow otapreopt_chroot postinstall_file:dir { search mounton };
allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
# This is required to mount /vendor.
allow otapreopt_chroot block_device:dir search;
allow otapreopt_chroot labeledfs:filesystem mount;
# Mounting /vendor can have this side-effect. Ignore denial.
dontaudit otapreopt_chroot kernel:process setsched;
# Allow otapreopt_chroot to read SELinux policy files.
allow otapreopt_chroot file_contexts_file:file r_file_perms;
# Allow otapreopt_chroot to open and read the contents of /postinstall/system/apex.
allow otapreopt_chroot postinstall_file:dir r_dir_perms;
# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property.
get_prop(otapreopt_chroot, apexd_prop)
# Allow otapreopt to use file descriptors from update-engine. It will
# close them immediately.
allow otapreopt_chroot postinstall:fd use;
allow otapreopt_chroot update_engine:fd use;
allow otapreopt_chroot update_engine:fifo_file write;
Reference in a new issue View git blame Copy permalink