47ebae1a7a
Add permissions to dex2oat, introduce otapreopt binary and otadexopt service. Bug: 25612095 Change-Id: I80fcba2785e80b2931d7d82bb07474f6cd0099f7
31 lines
1.1 KiB
Text
31 lines
1.1 KiB
Text
# otapreopt executable
|
|
type otapreopt, domain, mlstrustedsubject;
|
|
type otapreopt_exec, exec_type, file_type;
|
|
|
|
init_daemon_domain(otapreopt)
|
|
allow otapreopt self:capability { chown dac_override fowner fsetid setgid setuid };
|
|
|
|
# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
|
|
# here and having to relabel the directory.
|
|
|
|
# Write to /data/ota(/*). Create symlinks in /data/ota(/*)
|
|
allow otapreopt ota_data_file:dir create_dir_perms;
|
|
allow otapreopt ota_data_file:file create_file_perms;
|
|
allow otapreopt ota_data_file:lnk_file create_file_perms;
|
|
|
|
# Allow labeling of files under /data/app/com.example/oat/
|
|
# TODO: Restrict to .b suffix?
|
|
allow otapreopt dalvikcache_data_file:dir relabelto;
|
|
allow otapreopt dalvikcache_data_file:file { relabelto link };
|
|
|
|
allow otapreopt selinuxfs:dir r_dir_perms;
|
|
|
|
# Check validity of SELinux context before use.
|
|
selinux_check_context(otapreopt)
|
|
selinux_check_access(otapreopt)
|
|
|
|
# Run dex2oat in its own sandbox.
|
|
domain_auto_trans(otapreopt, dex2oat_exec, dex2oat)
|
|
|
|
# Allow otapreopt to use file descriptors from installd.
|
|
allow otapreopt installd:fd use;
|