66fcb98464
Test: A/B OTA update test (asit/dexoptota/self_full). Bug: 113373927 Bug: 120796514 Change-Id: Icbbe1babe0dceebff2546264ddabe779babba761
29 lines
1.3 KiB
Text
29 lines
1.3 KiB
Text
# otapreopt_chroot executable
|
|
type otapreopt_chroot, domain;
|
|
type otapreopt_chroot_exec, system_file_type, exec_type, file_type;
|
|
|
|
# Chroot preparation and execution.
|
|
# We need to create an unshared mount namespace, and then mount /data.
|
|
allow otapreopt_chroot postinstall_file:dir { search mounton };
|
|
allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
|
|
|
|
# This is required to mount /vendor and mount/unmount ext4 images from
|
|
# APEX packages in /postinstall/apex.
|
|
allow otapreopt_chroot block_device:dir search;
|
|
allow otapreopt_chroot labeledfs:filesystem { mount unmount };
|
|
# Mounting /vendor can have this side-effect. Ignore denial.
|
|
dontaudit otapreopt_chroot kernel:process setsched;
|
|
|
|
# Allow otapreopt_chroot to read SELinux policy files.
|
|
allow otapreopt_chroot file_contexts_file:file r_file_perms;
|
|
|
|
# Allow otapreopt_chroot to open and read the contents of /postinstall/system/apex.
|
|
allow otapreopt_chroot postinstall_file:dir r_dir_perms;
|
|
# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property.
|
|
get_prop(otapreopt_chroot, apexd_prop)
|
|
|
|
# Allow otapreopt to use file descriptors from update-engine. It will
|
|
# close them immediately.
|
|
allow otapreopt_chroot postinstall:fd use;
|
|
allow otapreopt_chroot update_engine:fd use;
|
|
allow otapreopt_chroot update_engine:fifo_file write;
|