Introduce a `postinstall_apex_mnt_dir` label for `/postinstall/apex`.
Directory `/postinstall/apex` is used as a mount point for a tmpfs
filesystem during A/B OTA updates. APEX packages from the new system
partition are mounted ("activated") in subdirectories of
`/postinstall/apex`, so that they are available when `otapreopt` is
running.
Directory `/postinstall/apex` used to be of type `tmpfs` for SELinux
purposes. The new `postinstall_apex_mnt_dir` label is more
restrictive, and tightens permissions granted to `otapreopt_chroot`,
`otapreopt` (running as `postinstall_dexopt`), and `dex2oat`,
regarding the apexd logic recently added to `otapreopt_chroot`.
Test: A/B OTA update test (asit/dexoptota/self_full).
Bug: 113373927
Bug: 120796514
Change-Id: I03f0b0433d9c066a0c607f864d60ca62fc68c990
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index d489e73..44d2d63 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -82,6 +82,7 @@
network_stack_tmpfs
overlayfs_file
permissionmgr_service
+ postinstall_apex_mnt_dir
recovery_socket
role_service
rs
diff --git a/private/file_contexts b/private/file_contexts
index af9572d..89c11bd 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -28,6 +28,7 @@
/config u:object_r:rootfs:s0
/mnt u:object_r:tmpfs:s0
/postinstall u:object_r:postinstall_mnt_dir:s0
+/postinstall/apex u:object_r:postinstall_apex_mnt_dir:s0
/proc u:object_r:rootfs:s0
/sys u:object_r:sysfs:s0
/apex u:object_r:apex_mnt_dir:s0
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index 608ed9e..aea2faa 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -23,10 +23,14 @@
# Allow otapreopt_chroot to mount a tmpfs filesystem in /postinstall/apex.
allow otapreopt_chroot tmpfs:filesystem mount;
-# Allow otapreopt_chroot to manipulate the tmpfs filesystem mounted in /postinstall/apex.
-allow otapreopt_chroot tmpfs:dir create_dir_perms;
+# Allow otapreopt_chroot to restore the security context of /postinstall/apex.
+allow otapreopt_chroot tmpfs:dir relabelfrom;
+allow otapreopt_chroot postinstall_apex_mnt_dir:dir relabelto;
+
+# Allow otapreopt_chroot to manipulate directory /postinstall/apex.
+allow otapreopt_chroot postinstall_apex_mnt_dir:dir create_dir_perms;
# Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
-allow otapreopt_chroot tmpfs:dir mounton;
+allow otapreopt_chroot postinstall_apex_mnt_dir:dir mounton;
# Allow otapreopt_chroot to access /dev/block (needed to detach loop
# devices used by ext4 images from APEX packages).
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 7ae1b34..1ea0420 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -53,7 +53,7 @@
allow dex2oat postinstall_file:file { execute getattr open };
# Allow dex2oat access to /postinstall/apex.
-allow dex2oat tmpfs:dir search;
+allow dex2oat postinstall_apex_mnt_dir:dir { getattr search };
# Allow dex2oat access to files in /data/ota.
allow dex2oat ota_data_file:dir ra_dir_perms;
diff --git a/public/file.te b/public/file.te
index e0f67a4..a9f4523 100644
--- a/public/file.te
+++ b/public/file.te
@@ -281,6 +281,8 @@
type postinstall_mnt_dir, file_type;
# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
type postinstall_file, file_type;
+# /postinstall/apex: Mount point used for APEX images within /postinstall.
+type postinstall_apex_mnt_dir, file_type;
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index 46a02dd..2fac3e3 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -13,8 +13,8 @@
allow postinstall_dexopt proc_filesystems:file { getattr open read };
allow postinstall_dexopt tmpfs:file read;
-# Read data from /postinstall/apex.
-allow postinstall_dexopt tmpfs:dir { read search };
+# Allow access to /postinstall/apex.
+allow postinstall_dexopt postinstall_apex_mnt_dir:dir { getattr search };
# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
# here and having to relabel the directory.