Sepolicy: Move some parts from public to private
Those should not have been public before, but were forced to by
old neverallow rules.
Test: m
Change-Id: If8430b9c8d42b7cbcd28bbfbc79d579c69067edd
diff --git a/private/cppreopts.te b/private/cppreopts.te
index 34f0d66..43340e0 100644
--- a/private/cppreopts.te
+++ b/private/cppreopts.te
@@ -1,6 +1,29 @@
+# cppreopts
+#
+# This command copies preopted files from the system_b partition to the data
+# partition. This domain ensures that we are only copying into specific
+# directories.
+
+type cppreopts, domain, mlstrustedsubject;
+type cppreopts_exec, system_file_type, exec_type, file_type;
+
typeattribute cppreopts coredomain;
# Technically not a daemon but we do want the transition from init domain to
# cppreopts to occur.
init_daemon_domain(cppreopts)
domain_auto_trans(cppreopts, preopt2cachename_exec, preopt2cachename);
+
+# Allow cppreopts copy files into the dalvik-cache
+allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };
+allow cppreopts dalvikcache_data_file:file { create getattr open read rename write unlink };
+
+# Allow cppreopts to execute itself using #!/system/bin/sh
+allow cppreopts shell_exec:file rx_file_perms;
+
+# Allow us to run find on /postinstall
+allow cppreopts system_file:dir { open read };
+
+# Allow running the cp command using cppreopts permissions. Needed so we can
+# write into dalvik-cache
+allow cppreopts toolbox_exec:file rx_file_perms;
diff --git a/private/otapreopt_slot.te b/private/otapreopt_slot.te
index 98b93d4..a0b1b32 100644
--- a/private/otapreopt_slot.te
+++ b/private/otapreopt_slot.te
@@ -1,5 +1,30 @@
+# This command set moves the artifact corresponding to the current slot
+# from /data/ota to /data/dalvik-cache.
+
+type otapreopt_slot, domain, mlstrustedsubject;
+type otapreopt_slot_exec, system_file_type, exec_type, file_type;
+
typeattribute otapreopt_slot coredomain;
# Technically not a daemon but we do want the transition from init domain to
# cppreopts to occur.
init_daemon_domain(otapreopt_slot)
+
+# The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up
+# the directory afterwards. For logging of aggregate size, we need getattr.
+allow otapreopt_slot ota_data_file:dir { rw_dir_perms rename reparent rmdir };
+allow otapreopt_slot ota_data_file:{ file lnk_file } getattr;
+# (du follows symlinks)
+allow otapreopt_slot ota_data_file:lnk_file read;
+
+# Delete old content of the dalvik-cache.
+allow otapreopt_slot dalvikcache_data_file:dir { add_name getattr open read remove_name rmdir search write };
+allow otapreopt_slot dalvikcache_data_file:file { getattr unlink };
+allow otapreopt_slot dalvikcache_data_file:lnk_file { getattr read unlink };
+
+# Allow cppreopts to execute itself using #!/system/bin/sh
+allow otapreopt_slot shell_exec:file rx_file_perms;
+
+# Allow running the mv and rm/rmdir commands using otapreopt_slot permissions.
+# Needed so we can move artifacts into /data/dalvik-cache/dalvik-cache.
+allow otapreopt_slot toolbox_exec:file rx_file_perms;
diff --git a/private/preopt2cachename.te b/private/preopt2cachename.te
index d10f767..7c85a9f 100644
--- a/private/preopt2cachename.te
+++ b/private/preopt2cachename.te
@@ -1 +1,18 @@
+# preopt2cachename executable
+#
+# This executable translates names from the preopted versions the build system
+# creates to the names the runtime expects in the data directory.
+type preopt2cachename, domain;
+type preopt2cachename_exec, system_file_type, exec_type, file_type;
+
typeattribute preopt2cachename coredomain;
+
+# Allow write to stdout.
+allow preopt2cachename cppreopts:fd use;
+allow preopt2cachename cppreopts:fifo_file { getattr read write };
+
+# Allow write to logcat.
+allow preopt2cachename proc_net_type:file r_file_perms;
+userdebug_or_eng(`
+ auditallow preopt2cachename proc_net_type:{ dir file lnk_file } { getattr open read };
+')