Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 16dfb432b3293d30cc889e1ccc00c95ff18b369a^! / . / private / otapreopt_chroot.te
commit16dfb432b3293d30cc889e1ccc00c95ff18b369a[log] [tgz]
authorAlex Light <allight@google.com>Thu Mar 11 11:26:08 2021 -0800
committerAlex Light <allight@google.com>Wed Mar 24 17:00:35 2021 -0700
tree2d3b72b75fc845633c30476a3d9568dc7a1f9951
parent133496f8a47526cc0eb5f01c9c69fb1aaa9aee69 [diff] [blame]
Use postinstall file_contexts

Previously we would mount OTA images with a 'context=...' mount
option. This meant that all selinux contexts were ignored in the ota
image, limiting the usefulness of selinux in this situation. To fix
this the mount has been changed to not overwrite the declared contexts
and the policies have been updated to accurately describe the actions
being performed by an OTA.

Bug: 181182967
Test: Manual OTA of blueline
Merged-In: I5eb53625202479ea7e75c27273531257d041e69d
Change-Id: I5eb53625202479ea7e75c27273531257d041e69d

diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index 529dba3..ea9d4ee 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te

@@ -1,10 +1,18 @@
 # otapreopt_chroot executable
-type otapreopt_chroot, domain, coredomain;
-type otapreopt_chroot_exec, system_file_type, exec_type, file_type;
+typeattribute otapreopt_chroot coredomain;
+type otapreopt_chroot_exec, exec_type, file_type, system_file_type;
 
 # Chroot preparation and execution.
 # We need to create an unshared mount namespace, and then mount /data.
 allow otapreopt_chroot postinstall_file:dir { search mounton };
+allow otapreopt_chroot apex_mnt_dir:dir mounton;
+allow otapreopt_chroot device:dir mounton;
+allow otapreopt_chroot linkerconfig_file:dir mounton;
+allow otapreopt_chroot rootfs:dir mounton;
+allow otapreopt_chroot sysfs:dir mounton;
+allow otapreopt_chroot system_data_root_file:dir mounton;
+allow otapreopt_chroot system_file:dir mounton;
+allow otapreopt_chroot vendor_file:dir mounton;
 allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
 
 # This is required to mount /vendor and mount/unmount ext4 images from
@@ -35,7 +43,9 @@
 allow otapreopt_chroot update_engine:fifo_file write;
 
 # Allow to transition to postinstall_dexopt, to run otapreopt in its own sandbox.
-domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
+domain_auto_trans(otapreopt_chroot, postinstall_dexopt_exec, postinstall_dexopt)
+domain_auto_trans(otapreopt_chroot, linkerconfig_exec, linkerconfig)
+domain_auto_trans(otapreopt_chroot, apexd_exec, apexd)
 
 # Allow otapreopt_chroot to control linkerconfig
 allow otapreopt_chroot linkerconfig_file:dir { create_dir_perms relabelto };