Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 8393a05fee133580e6bf43d5aa1c97267f4f5d6c^! / . / private
commit8393a05fee133580e6bf43d5aa1c97267f4f5d6c[log] [tgz]
authorAlex Light <allight@google.com>Mon Apr 26 16:46:57 2021 -0700
committerAlex Light <allight@google.com>Tue Apr 27 14:31:54 2021 -0700
tree43a567af444777f52baf4f5c851f4fd8b921658d
parent7362f58895f29ea9779587cabcd513257e51c344 [diff]
Add support for invoking derive_classpath from otadexopt

otadexopt needs to be able to invoke derive_classpath in order to
determine the boot-classpath after the OTA finishes.

Test: manual OTA on blueline
Bug: 186432034
Change-Id: I3ec561fc0aa9de25ae1186f012ef72ba851990d0

diff --git a/private/derive_classpath.te b/private/derive_classpath.te
index caa6058..2299ba0 100644
--- a/private/derive_classpath.te
+++ b/private/derive_classpath.te

@@ -13,3 +13,13 @@
 
 # b/183079517 fails on gphone targets otherwise
 allow derive_classpath unlabeled:dir search;
+
+# Allow derive_classpath to write the classpath into ota dexopt
+# - Read the ota's apex dir
+allow derive_classpath postinstall_apex_mnt_dir:dir r_dir_perms;
+# - Report the BCP to the ota's dexopt
+allow derive_classpath postinstall_dexopt:dir search;
+allow derive_classpath postinstall_dexopt:fd use;
+allow derive_classpath postinstall_dexopt:file read;
+allow derive_classpath postinstall_dexopt:lnk_file read;
+allow derive_classpath postinstall_dexopt_tmpfs:file rw_file_perms;

diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index 0b1a032..94af043 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te

@@ -5,6 +5,7 @@
 
 type postinstall_dexopt, domain, coredomain, mlstrustedsubject;
 type postinstall_dexopt_exec, system_file_type, exec_type, file_type;
+type postinstall_dexopt_tmpfs, file_type;
 
 # Run dex2oat/patchoat in its own sandbox.
 # We have to manually transition, as we don't have an entrypoint.
@@ -15,6 +16,12 @@
 #   with the `postinstall_file` type by update_engine.
 domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
 
+# Run derive_classpath to get the current BCP.
+domain_auto_trans(postinstall_dexopt, derive_classpath_exec, derive_classpath)
+# Allow postinstall_dexopt to make a tempfile for derive_classpath to write into
+tmpfs_domain(postinstall_dexopt);
+allow postinstall_dexopt postinstall_dexopt_tmpfs:file open;
+
 allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
 
 allow postinstall_dexopt postinstall_file:filesystem getattr;