commit 66f40a8b2d115b1daa31f4f92eef100948306dd0
author Roland Levillain <rpl@google.com> Wed Mar 13 18:52:23 2019 +0000
committer Roland Levillain <rpl@google.com> Tue Mar 19 14:44:22 2019 +0000
tree 8a9733a504227cde89d4c22adc370f00d5cd17b4
parent 87b6d4018dfc21251543a0335c8db531a8909135

Allow `otapreopt_chroot` to use a flattened Runtime APEX package.

- Allow (again) `otapreopt` (running as `postinstall_dexopt`) to
  execute `dex2oat` from `/postinstall` -- this is for the case where
  it is located in a flattened Runtime APEX in
  `/postinstall/system/apex`.
- Allow `dex2oat` to read directories under `/postinstall`.
- Allow `otapreopt_chroot` to unmount flattened APEX packages under
  `/postinstall/system/apex` (which are bind-mounted in
  `/postinstall/apex`).

Test: A/B OTA update test (asit/dexoptota/self_full).
Bug: 127543974
Bug: 123684826
Bug: 113373927
Change-Id: Ie023ee5c64989ea071e1683f31073a70c93cac18

private/dex2oat.te

diff --git a/private/dex2oat.te b/private/dex2oat.te
index 47c78a0..7907f6c 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -42,11 +42,10 @@
 # Allow dex2oat to use file descriptors from otapreopt.
 allow dex2oat postinstall_dexopt:fd use;
 
-allow dex2oat postinstall_file:dir { getattr search };
+# Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker).
+allow dex2oat postinstall_file:dir r_dir_perms;
 allow dex2oat postinstall_file:filesystem getattr;
 allow dex2oat postinstall_file:lnk_file { getattr read };
-
-# Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker).
 allow dex2oat postinstall_file:file read;
 # Allow dex2oat to use libraries under /postinstall/system (e.g. /system/lib/libc.so).
 # TODO(b/120266448): Remove when Bionic libraries are part of the Runtime APEX.