Sepolicy: Give Otapreopt right to write A/B artifacts in /data
For apps installed /data (vs the system image), Otapreopt puts A/B artifacts alongside the regular oat location with a "b" suffix. Give Otapreopt the right to create and write such files. Bug: 25612095 Change-Id: Idf3f0959816f49407036cea9b8e684b26c510e80
This commit is contained in:
parent
79bb5d8f00
commit
c83614b632
10
otapreopt.te
10
otapreopt.te
@ -8,11 +8,21 @@ allow otapreopt self:capability { chown dac_override fowner fsetid setgid setuid
|
||||
# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
|
||||
# here and having to relabel the directory.
|
||||
|
||||
# Read app data (APKs) as input to dex2oat.
|
||||
r_dir_file(otapreopt, apk_data_file)
|
||||
# Access to app oat directory.
|
||||
r_dir_file(otapreopt, dalvikcache_data_file)
|
||||
|
||||
# Write to /data/ota(/*). Create symlinks in /data/ota(/*)
|
||||
allow otapreopt ota_data_file:dir create_dir_perms;
|
||||
allow otapreopt ota_data_file:file create_file_perms;
|
||||
allow otapreopt ota_data_file:lnk_file create_file_perms;
|
||||
|
||||
# Need to write .b files, which are dalvikcache_data_file, not ota_data_file.
|
||||
# TODO: See whether we can apply ota_data_file?
|
||||
allow otapreopt dalvikcache_data_file:dir { write add_name remove_name };
|
||||
allow otapreopt dalvikcache_data_file:file create_file_perms;
|
||||
|
||||
# Allow labeling of files under /data/app/com.example/oat/
|
||||
# TODO: Restrict to .b suffix?
|
||||
allow otapreopt dalvikcache_data_file:dir relabelto;
|
||||
|
Loading…
Reference in New Issue
Block a user