commit 4c0259d5c7a34b5bf8297791f8b1716d61c1732c
author Jeff Vander Stoep <jeffv@google.com> Fri Mar 05 19:54:30 2021 +0100
committer Alex Light <allight@google.com> Fri Mar 05 14:50:29 2021 -0800
tree d373c75ce4b1999d8e710cd206fa750acc36fc4b
parent 4357d55debdee181f0347b31e27993e786193812

Fix otapreopt_chroot

A number of things have changed, such as how the linkerconfig is
managed. Update permissions to reflect the changes.

Bug: 181182967
Test: Manual OTA of cuttlefish
Change-Id: I32207eb7c5653969e5cef4830e18f8c8fb330026

private/dex2oat.te

diff --git a/private/dex2oat.te b/private/dex2oat.te
index 909f94c..b08462e 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -17,6 +17,7 @@
 
 # Acquire advisory lock on /system/framework/arm/*
 allow dex2oat system_file:file lock;
+allow dex2oat postinstall_file:file lock;
 
 # Read already open asec_apk_file file descriptors passed by installd.
 # Also allow reading unlabeled files, to allow for upgrading forward

private/linkerconfig.te

diff --git a/private/linkerconfig.te b/private/linkerconfig.te
index 3e08e42..84fde67 100644
--- a/private/linkerconfig.te
+++ b/private/linkerconfig.te
@@ -19,4 +19,4 @@
 # Allow linkerconfig to read apex-info-list.xml
 allow linkerconfig apex_info_file:file r_file_perms;
 
-neverallow { domain -init -linkerconfig } linkerconfig_exec:file no_x_file_perms;
+neverallow { domain -init -linkerconfig -otapreopt_chroot } linkerconfig_exec:file no_x_file_perms;

private/otapreopt_chroot.te

diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index 37149ab..610c4cb 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -37,6 +37,10 @@
 # Allow to transition to postinstall_dexopt, to run otapreopt in its own sandbox.
 domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
 
+# Allow otapreopt_chroot to control linkerconfig
+allow otapreopt_chroot linkerconfig_file:dir { create_dir_perms relabelto };
+allow otapreopt_chroot linkerconfig_file:file create_file_perms;
+
 # Allow otapreopt_chroot to create loop devices with /dev/loop-control.
 allow otapreopt_chroot loop_control_device:chr_file rw_file_perms;
 # Allow otapreopt_chroot to access loop devices.
@@ -63,6 +67,7 @@
 
 # Allow otapreopt_chroot to manipulate directory /postinstall/apex.
 allow otapreopt_chroot postinstall_apex_mnt_dir:dir create_dir_perms;
+allow otapreopt_chroot postinstall_apex_mnt_dir:file create_file_perms;
 # Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
 allow otapreopt_chroot postinstall_apex_mnt_dir:dir mounton;
 
@@ -77,3 +82,6 @@
 # This is a temporary solution to make sure that otapreopt_chroot doesn't block indefinetelly.
 # TODO(b/165948777): remove this once otapreopt_chroot is migrated to libapexmount.
 get_prop(otapreopt_chroot, cold_boot_done_prop)
+
+# allow otapreopt_chroot to run the linkerconfig from the new image.
+allow otapreopt_chroot linkerconfig_exec:file rx_file_perms;