Allow otapreopt
to use bind-mounted Bionic artifacts from the Runtime APEX.
Allow `otapreopt_chroot` to: - bind-mount Bionic artifacts from the Runtime APEX (`/postinstall/apex/com.android.runtime`) into `/postinstall/bionic/`; - read the `/postinstall/system/bin/linker(64)` symlink to `/postinstall/bionic/bin/linker(64)` when executing `/postinstall/system/bin/otapreopt`. Allow `otapreopt` (running as `postinstall_dexopt`) to: - read directories under `/postinstall`. Test: m otapreopt_chroot Test: A/B OTA update test (asit/dexoptota/self_full). Bug: 113373927 Bug: 120266448 Change-Id: I6de9df12d5fd84f1dd92798efed5f2d8b72d3ebe
This commit is contained in:
parent
586c2cdfdf
commit
446b2fedce
@ -32,6 +32,13 @@ allow otapreopt_chroot postinstall_apex_mnt_dir:dir create_dir_perms;
|
||||
# Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
|
||||
allow otapreopt_chroot postinstall_apex_mnt_dir:dir mounton;
|
||||
|
||||
# Allow otapreopt_chroot to bind-mount Bionic artifacts from the Runtime APEX
|
||||
# into /postinstall/bionic/.
|
||||
allow otapreopt_chroot postinstall_file:file mounton;
|
||||
# Allow otapreopt_chroot to read the /postinstall/system/bin/linker(64) symlink to
|
||||
# /postinstall/bionic/bin/linker(64) when executing /postinstall/system/bin/otapreopt.
|
||||
allow otapreopt_chroot postinstall_file:lnk_file read;
|
||||
|
||||
# Allow otapreopt_chroot to access /dev/block (needed to detach loop
|
||||
# devices used by ext4 images from APEX packages).
|
||||
allow otapreopt_chroot block_device:dir r_dir_perms;
|
||||
|
@ -8,7 +8,7 @@ type postinstall_dexopt, domain;
|
||||
allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
|
||||
|
||||
allow postinstall_dexopt postinstall_file:filesystem getattr;
|
||||
allow postinstall_dexopt postinstall_file:dir { getattr search };
|
||||
allow postinstall_dexopt postinstall_file:dir { getattr read search };
|
||||
allow postinstall_dexopt postinstall_file:lnk_file { getattr read };
|
||||
allow postinstall_dexopt proc_filesystems:file { getattr open read };
|
||||
allow postinstall_dexopt tmpfs:file read;
|
||||
|
Loading…
Reference in New Issue
Block a user