From 8393a05fee133580e6bf43d5aa1c97267f4f5d6c Mon Sep 17 00:00:00 2001 From: Alex Light Date: Mon, 26 Apr 2021 16:46:57 -0700 Subject: [PATCH] Add support for invoking derive_classpath from otadexopt otadexopt needs to be able to invoke derive_classpath in order to determine the boot-classpath after the OTA finishes. Test: manual OTA on blueline Bug: 186432034 Change-Id: I3ec561fc0aa9de25ae1186f012ef72ba851990d0 --- private/derive_classpath.te | 10 ++++++++++ private/postinstall_dexopt.te | 7 +++++++ 2 files changed, 17 insertions(+) diff --git a/private/derive_classpath.te b/private/derive_classpath.te index caa605869..2299ba092 100644 --- a/private/derive_classpath.te +++ b/private/derive_classpath.te @@ -13,3 +13,13 @@ allow derive_classpath environ_system_data_file:file create_file_perms; # b/183079517 fails on gphone targets otherwise allow derive_classpath unlabeled:dir search; + +# Allow derive_classpath to write the classpath into ota dexopt +# - Read the ota's apex dir +allow derive_classpath postinstall_apex_mnt_dir:dir r_dir_perms; +# - Report the BCP to the ota's dexopt +allow derive_classpath postinstall_dexopt:dir search; +allow derive_classpath postinstall_dexopt:fd use; +allow derive_classpath postinstall_dexopt:file read; +allow derive_classpath postinstall_dexopt:lnk_file read; +allow derive_classpath postinstall_dexopt_tmpfs:file rw_file_perms; diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te index 0b1a032f8..94af0436b 100644 --- a/private/postinstall_dexopt.te +++ b/private/postinstall_dexopt.te @@ -5,6 +5,7 @@ type postinstall_dexopt, domain, coredomain, mlstrustedsubject; type postinstall_dexopt_exec, system_file_type, exec_type, file_type; +type postinstall_dexopt_tmpfs, file_type; # Run dex2oat/patchoat in its own sandbox. # We have to manually transition, as we don't have an entrypoint. @@ -15,6 +16,12 @@ domain_auto_trans(postinstall_dexopt, dex2oat_exec, dex2oat) # with the `postinstall_file` type by update_engine. domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat) +# Run derive_classpath to get the current BCP. +domain_auto_trans(postinstall_dexopt, derive_classpath_exec, derive_classpath) +# Allow postinstall_dexopt to make a tempfile for derive_classpath to write into +tmpfs_domain(postinstall_dexopt); +allow postinstall_dexopt postinstall_dexopt_tmpfs:file open; + allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid }; allow postinstall_dexopt postinstall_file:filesystem getattr;