platform_system_sepolicy/private/postinstall_dexopt.te
Alex Light a1cdf2e311 Use postinstall file_contexts
Previously we would mount OTA images with a 'context=...' mount
option. This meant that all selinux contexts were ignored in the ota
image, limiting the usefulness of selinux in this situation. To fix
this the mount has been changed to not overwrite the declared contexts
and the policies have been updated to accurately describe the actions
being performed by an OTA.

Bug: 181182967
Test: Manual OTA of blueline
Test: lunch wembley-userdebug; m droid
Ignore-AOSP-First: Requires changes to device/mediatek/wembley-sepolicy
                   to be applied simultaneously to avoid breaking
                   builds. Once merged this will be cherry-picked back
                   to AOSP to maintain state.
Change-Id: I5eb53625202479ea7e75c27273531257d041e69d
2021-03-25 00:01:25 +00:00

78 lines
3.5 KiB
Text

# Domain for the otapreopt executable, running under postinstall_dexopt
#
# Note: otapreopt is a driver for dex2oat, and reuses parts of installd. As such,
# this is derived and adapted from installd.te.
type postinstall_dexopt, domain, coredomain, mlstrustedsubject;
type postinstall_dexopt_exec, system_file_type, exec_type, file_type;
# Run dex2oat/patchoat in its own sandbox.
# We have to manually transition, as we don't have an entrypoint.
# - Case where dex2oat is in a non-flattened APEX, which has retained
# the correct type (`dex2oat_exec`).
domain_auto_trans(postinstall_dexopt, dex2oat_exec, dex2oat)
# - Case where dex2oat is in a flattened APEX, which has been tagged
# with the `postinstall_file` type by update_engine.
domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
allow postinstall_dexopt postinstall_file:filesystem getattr;
allow postinstall_dexopt postinstall_file:dir { getattr read search };
allow postinstall_dexopt postinstall_file:lnk_file { getattr read };
allow postinstall_dexopt proc_filesystems:file { getattr open read };
allow postinstall_dexopt rootfs:file r_file_perms;
allow postinstall_dexopt tmpfs:file read;
# Allow access to /postinstall/apex.
allow postinstall_dexopt postinstall_apex_mnt_dir:dir { getattr search };
# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
# here and having to relabel the directory.
# Read app data (APKs) as input to dex2oat.
r_dir_file(postinstall_dexopt, apk_data_file)
# Read vendor app data (APKs) as input to dex2oat.
r_dir_file(postinstall_dexopt, vendor_app_file)
# Read vendor overlay files (APKs) as input to dex2oat.
r_dir_file(postinstall_dexopt, vendor_overlay_file)
# Access to app oat directory.
r_dir_file(postinstall_dexopt, dalvikcache_data_file)
# Read profile data.
allow postinstall_dexopt { user_profile_root_file user_profile_data_file }:dir { getattr search };
allow postinstall_dexopt user_profile_data_file:file r_file_perms;
# Suppress deletion denial (we do not want to update the profile).
dontaudit postinstall_dexopt user_profile_data_file:file { write };
# Write to /data/ota(/*). Create symlinks in /data/ota(/*)
allow postinstall_dexopt ota_data_file:dir create_dir_perms;
allow postinstall_dexopt ota_data_file:file create_file_perms;
allow postinstall_dexopt ota_data_file:lnk_file create_file_perms;
# Need to write .b files, which are dalvikcache_data_file, not ota_data_file.
# TODO: See whether we can apply ota_data_file?
allow postinstall_dexopt dalvikcache_data_file:dir rw_dir_perms;
allow postinstall_dexopt dalvikcache_data_file:file create_file_perms;
# Allow labeling of files under /data/app/com.example/oat/
# TODO: Restrict to .b suffix?
allow postinstall_dexopt dalvikcache_data_file:dir relabelto;
allow postinstall_dexopt dalvikcache_data_file:file { relabelto link };
# Check validity of SELinux context before use.
selinux_check_context(postinstall_dexopt)
selinux_check_access(postinstall_dexopt)
# Postinstall wants to know about our child.
allow postinstall_dexopt postinstall:process sigchld;
# Allow otapreopt to use file descriptors from otapreopt_chroot.
# TODO: Probably we can actually close file descriptors...
allow postinstall_dexopt otapreopt_chroot:fd use;
# Allow postinstall_dexopt to access the runtime feature flag properties.
get_prop(postinstall_dexopt, device_config_runtime_native_prop)
get_prop(postinstall_dexopt, device_config_runtime_native_boot_prop)