e5d8a947bd
Give mount & chroot permissions to otapreopt_chroot related to postinstall. Add postinstall_dexopt for otapreopt in the B partition. Allow the things installd can do for dexopt. Give a few more rights to dex2oat for postinstall files. Allow postinstall files to call the system server. Bug: 25612095 Change-Id: If7407473d50c9414668ff6ef869c2aadd14264e7
14 lines
600 B
Text
14 lines
600 B
Text
# otapreopt_chroot executable
|
|
type otapreopt_chroot, domain;
|
|
type otapreopt_chroot_exec, exec_type, file_type;
|
|
|
|
# Chroot preparation and execution.
|
|
# We need to create an unshared mount namespace, and then mount /data.
|
|
allow otapreopt_chroot postinstall_file:dir { search mounton };
|
|
allow otapreopt_chroot self:capability { sys_admin sys_chroot };
|
|
|
|
# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
|
|
domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
|
|
|
|
# Allow otapreopt to use file descriptors from installd.
|
|
allow otapreopt_chroot installd:fd use;
|