Merge "Allow `otapreopt` to use bind-mounted Bionic artifacts from the Runtime APEX." am: 5c8f9398d9 am: 67947e6fb4
am: 37e5d0e969
Change-Id: I8167e0d8914eb1a5ae160b0b64f07fd4c0afea15
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index aea2faa..61fdaab 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -32,6 +32,13 @@
# Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
allow otapreopt_chroot postinstall_apex_mnt_dir:dir mounton;
+# Allow otapreopt_chroot to bind-mount Bionic artifacts from the Runtime APEX
+# into /postinstall/bionic/.
+allow otapreopt_chroot postinstall_file:file mounton;
+# Allow otapreopt_chroot to read the /postinstall/system/bin/linker(64) symlink to
+# /postinstall/bionic/bin/linker(64) when executing /postinstall/system/bin/otapreopt.
+allow otapreopt_chroot postinstall_file:lnk_file read;
+
# Allow otapreopt_chroot to access /dev/block (needed to detach loop
# devices used by ext4 images from APEX packages).
allow otapreopt_chroot block_device:dir r_dir_perms;
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index 2fac3e3..b525737 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -8,7 +8,7 @@
allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
allow postinstall_dexopt postinstall_file:filesystem getattr;
-allow postinstall_dexopt postinstall_file:dir { getattr search };
+allow postinstall_dexopt postinstall_file:dir { getattr read search };
allow postinstall_dexopt postinstall_file:lnk_file { getattr read };
allow postinstall_dexopt proc_filesystems:file { getattr open read };
allow postinstall_dexopt tmpfs:file read;