PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Allow otapreopt to use bind-mounted Bionic artifacts from the Runtime APEX.

Browse Source 
Allow `otapreopt_chroot` to:
- bind-mount Bionic artifacts from the Runtime APEX
  (`/postinstall/apex/com.android.runtime`) into `/postinstall/bionic/`;
- read the `/postinstall/system/bin/linker(64)` symlink to
  `/postinstall/bionic/bin/linker(64)` when executing
  `/postinstall/system/bin/otapreopt`.

Allow `otapreopt` (running as `postinstall_dexopt`) to:
- read directories under `/postinstall`.

Test: m otapreopt_chroot
Test: A/B OTA update test (asit/dexoptota/self_full).
Bug: 113373927
Bug: 120266448
Change-Id: I6de9df12d5fd84f1dd92798efed5f2d8b72d3ebe
This commit is contained in:
Roland Levillain 2019-01-31 18:38:14 +00:00
parent 586c2cdfdf
commit 446b2fedce
2 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
private/otapreopt_chroot.te
View File

@ -32,6 +32,13 @@ allow otapreopt_chroot postinstall_apex_mnt_dir:dir create_dir_perms;
# Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
allow otapreopt_chroot postinstall_apex_mnt_dir:dir mounton;
# Allow otapreopt_chroot to bind-mount Bionic artifacts from the Runtime APEX
# into /postinstall/bionic/.
allow otapreopt_chroot postinstall_file:file mounton;
# Allow otapreopt_chroot to read the /postinstall/system/bin/linker(64) symlink to
# /postinstall/bionic/bin/linker(64) when executing /postinstall/system/bin/otapreopt.
allow otapreopt_chroot postinstall_file:lnk_file read;
# Allow otapreopt_chroot to access /dev/block (needed to detach loop
# devices used by ext4 images from APEX packages).
allow otapreopt_chroot block_device:dir r_dir_perms;

2
public/postinstall_dexopt.te
View File

@ -8,7 +8,7 @@ type postinstall_dexopt, domain;
allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
allow postinstall_dexopt postinstall_file:filesystem getattr;
allow postinstall_dexopt postinstall_file:dir { getattr search };
allow postinstall_dexopt postinstall_file:dir { getattr read search };
allow postinstall_dexopt postinstall_file:lnk_file { getattr read };
allow postinstall_dexopt proc_filesystems:file { getattr open read };
allow postinstall_dexopt tmpfs:file read;