Sepolicy: Give Otapreopt right to write A/B artifacts in /data

For apps installed /data (vs the system image), Otapreopt puts A/B artifacts alongside the regular oat location with a "b" suffix. Give Otapreopt the right to create and write such files. Bug: 25612095 Change-Id: Idf3f0959816f49407036cea9b8e684b26c510e80
2016-03-01 08:45:33 -08:00 · 2016-03-01 08:45:33 -08:00 · c83614b632
commit c83614b632
parent 79bb5d8f00
1 changed files with 10 additions and 0 deletions
--- a/otapreopt.te
+++ b/otapreopt.te
@ -8,11 +8,21 @@ allow otapreopt self:capability { chown dac_override fowner fsetid setgid setuid
 # Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
 # here and having to relabel the directory.

+# Read app data (APKs) as input to dex2oat.
+r_dir_file(otapreopt, apk_data_file)
+# Access to app oat directory.
+r_dir_file(otapreopt, dalvikcache_data_file)
+
 # Write to /data/ota(/*). Create symlinks in /data/ota(/*)
 allow otapreopt ota_data_file:dir create_dir_perms;
 allow otapreopt ota_data_file:file create_file_perms;
 allow otapreopt ota_data_file:lnk_file create_file_perms;

+# Need to write .b files, which are dalvikcache_data_file, not ota_data_file.
+# TODO: See whether we can apply ota_data_file?
+allow otapreopt dalvikcache_data_file:dir { write add_name remove_name };
+allow otapreopt dalvikcache_data_file:file create_file_perms;
+
 # Allow labeling of files under /data/app/com.example/oat/
 # TODO: Restrict to .b suffix?
 allow otapreopt dalvikcache_data_file:dir relabelto;