Add support for invoking derive_classpath from otadexopt

otadexopt needs to be able to invoke derive_classpath in order to
determine the boot-classpath after the OTA finishes.

Test: manual OTA on blueline
Bug: 186432034
Change-Id: I3ec561fc0aa9de25ae1186f012ef72ba851990d0

private/derive_classpath.te

@@ -13,3 +13,13 @@ allow derive_classpath environ_system_data_file:file create_file_perms;
 
 # b/183079517 fails on gphone targets otherwise
 allow derive_classpath unlabeled:dir search;
+
+# Allow derive_classpath to write the classpath into ota dexopt
+# - Read the ota's apex dir
+allow derive_classpath postinstall_apex_mnt_dir:dir r_dir_perms;
+# - Report the BCP to the ota's dexopt
+allow derive_classpath postinstall_dexopt:dir search;
+allow derive_classpath postinstall_dexopt:fd use;
+allow derive_classpath postinstall_dexopt:file read;
+allow derive_classpath postinstall_dexopt:lnk_file read;
+allow derive_classpath postinstall_dexopt_tmpfs:file rw_file_perms;

private/postinstall_dexopt.te

@@ -5,6 +5,7 @@
 
 type postinstall_dexopt, domain, coredomain, mlstrustedsubject;
 type postinstall_dexopt_exec, system_file_type, exec_type, file_type;
+type postinstall_dexopt_tmpfs, file_type;
 
 # Run dex2oat/patchoat in its own sandbox.
 # We have to manually transition, as we don't have an entrypoint.
@@ -15,6 +16,12 @@ domain_auto_trans(postinstall_dexopt, dex2oat_exec, dex2oat)
 #   with the `postinstall_file` type by update_engine.
 domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
 
+# Run derive_classpath to get the current BCP.
+domain_auto_trans(postinstall_dexopt, derive_classpath_exec, derive_classpath)
+# Allow postinstall_dexopt to make a tempfile for derive_classpath to write into
+tmpfs_domain(postinstall_dexopt);
+allow postinstall_dexopt postinstall_dexopt_tmpfs:file open;
+
 allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
 
 allow postinstall_dexopt postinstall_file:filesystem getattr;