Merge "Sepolicy: Give zygote rights needed for A/B OTAs" into nyc-dev

commit: 816448d8259a5e3359173f7c31528054c1b2611d [log] [tgz]
author: Andreas Gampe <agampe@google.com> Wed Feb 10 00:34:53 2016 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> Wed Feb 10 00:34:53 2016 +0000
tree: 96c10fd6586e2d8e3f8122c7eb67b11b75cf3ae3
parent: cdab09c735f484267ea1039db2dda4667b010ce1 [diff]
parent: f4bd8b30e3235308cbb7d1f7446ffca5f625c8eb [diff]
diff --git a/zygote.te b/zygote.te
index 67fd621..2255804 100644
--- a/zygote.te
+++ b/zygote.te

@@ -81,6 +81,28 @@
 ')
 
 ###
+### A/B OTA
+###
+
+# The zygote is responsible for detecting A/B OTA artifacts and moving them into
+# the actual dalvik-cache.
+
+# Allow zygote access to files in /data/ota.
+# This includes reading symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot
+# images, where the oat file is symlinked to the original file in /system.
+r_dir_file(zygote, ota_data_file)
+
+# The zygote renames the OTA dalvik-cache to the regular dalvik-cache.
+allow zygote ota_data_file:dir { rw_dir_perms rename reparent };
+
+# And needs to relabel the entries, so as to have the dalvikcache_data_file label.
+allow zygote ota_data_file:{ dir file } relabelfrom;
+allow zygote dalvikcache_data_file:{ dir file } relabelto;
+
+# The zygote also cleans up the now-empty dalvik-cache directory after an OTA.
+allow zygote ota_data_file:dir rmdir;
+
+###
 ### neverallow rules
 ###
commit	816448d8259a5e3359173f7c31528054c1b2611d	[log] [tgz]
author	Andreas Gampe <agampe@google.com>	Wed Feb 10 00:34:53 2016 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	Wed Feb 10 00:34:53 2016 +0000
tree	96c10fd6586e2d8e3f8122c7eb67b11b75cf3ae3
parent	cdab09c735f484267ea1039db2dda4667b010ce1 [diff]
parent	f4bd8b30e3235308cbb7d1f7446ffca5f625c8eb [diff]