d47c1e93ae
To include target slot names in the naming of A/B OTA artifacts, and new path has been implemented. Instead of passing through the system server and forking off of installd, otapreopt_chroot is now driven directly from the otapreopt script. Change the selinux policy accordingly: allow a transition from postinstall to otapreopt_chroot, and let otapreopt_chroot inherit the file descriptors that update_engine had opened (it will close them immediately, do not give rights to the downstream executables otapreopt and dex2oat). Bug: 25612095 Bug: 28069686 Change-Id: I6b476183572c85e75eda4d52f60e4eb5d8f48dbb
59 lines
2.4 KiB
Text
59 lines
2.4 KiB
Text
# Domain for the otapreopt executable, running under postinstall_dexopt
|
|
#
|
|
# Note: otapreopt is a driver for dex2oat, and reuses parts of installd. As such,
|
|
# this is derived and adapted from installd.te.
|
|
|
|
type postinstall_dexopt, domain;
|
|
|
|
# init_daemon_domain(otapreopt)
|
|
allow postinstall_dexopt self:capability { chown dac_override fowner setgid setuid };
|
|
|
|
allow postinstall_dexopt postinstall_file:dir { getattr search };
|
|
allow postinstall_dexopt proc:file { getattr open read };
|
|
allow postinstall_dexopt tmpfs:file read;
|
|
|
|
# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
|
|
# here and having to relabel the directory.
|
|
|
|
# Read app data (APKs) as input to dex2oat.
|
|
r_dir_file(postinstall_dexopt, apk_data_file)
|
|
# Access to app oat directory.
|
|
r_dir_file(postinstall_dexopt, dalvikcache_data_file)
|
|
|
|
# Read profile data.
|
|
allow postinstall_dexopt user_profile_data_file:dir { getattr search };
|
|
allow postinstall_dexopt user_profile_data_file:file r_file_perms;
|
|
|
|
# Write to /data/ota(/*). Create symlinks in /data/ota(/*)
|
|
allow postinstall_dexopt ota_data_file:dir create_dir_perms;
|
|
allow postinstall_dexopt ota_data_file:file create_file_perms;
|
|
allow postinstall_dexopt ota_data_file:lnk_file create_file_perms;
|
|
|
|
# Need to write .b files, which are dalvikcache_data_file, not ota_data_file.
|
|
# TODO: See whether we can apply ota_data_file?
|
|
allow postinstall_dexopt dalvikcache_data_file:dir rw_dir_perms;
|
|
allow postinstall_dexopt dalvikcache_data_file:file create_file_perms;
|
|
|
|
# Allow labeling of files under /data/app/com.example/oat/
|
|
# TODO: Restrict to .b suffix?
|
|
allow postinstall_dexopt dalvikcache_data_file:dir relabelto;
|
|
allow postinstall_dexopt dalvikcache_data_file:file { relabelto link };
|
|
|
|
allow postinstall_dexopt selinuxfs:dir r_dir_perms;
|
|
|
|
# Check validity of SELinux context before use.
|
|
selinux_check_context(postinstall_dexopt)
|
|
selinux_check_access(postinstall_dexopt)
|
|
|
|
# Run dex2oat/patchoat in its own sandbox.
|
|
# We have to manually transition, as we don't have an entrypoint.
|
|
domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
|
|
|
|
# Postinstall wants to know about our child.
|
|
allow postinstall_dexopt postinstall:process sigchld;
|
|
|
|
# Allow otapreopt to use file descriptors from otapreopt_chroot.
|
|
# TODO: Probably we can actually close file descriptors...
|
|
allow postinstall_dexopt otapreopt_chroot:fd use;
|
|
|
|
allow postinstall_dexopt cpuctl_device:dir search;
|