Allow `oatpreopt` to run `dex2oat` from the Runtime APEX.
- Allow `postinstall_dexopt` to transition to domain `dex2oat` when
executing `dex2oat` from the Runtime APEX
(`/postinstall/apex/com.android.com/bin/dex2oat`).
- Allow `dex2oat` (from the Runtime APEX) to read files under
`/postinstall` (e.g. APKs under `/system`, `/system/bin/linker`);
- Also allow `dex2oat` (from the Runtime APEX) to use libraries under
`/postinstall/system` (e.g. `/system/lib/libc.so`). This is
temporary change until Bionic libraries are part of the Runtime
APEX.
Test: A/B OTA update test (asit/dexoptota/self_full).
Bug: 113373927
Bug: 120796514
Change-Id: I0a8a6ac485f725753ee909b1561becd3bd908ce4
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index ff5fe87..f237817 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -2,4 +2,4 @@
# Run dex2oat/patchoat in its own sandbox.
# We have to manually transition, as we don't have an entrypoint.
-domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
+domain_auto_trans(postinstall_dexopt, dex2oat_exec, dex2oat)
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 8974838..7ae1b34 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -46,6 +46,12 @@
allow dex2oat postinstall_file:filesystem getattr;
allow dex2oat postinstall_file:lnk_file { getattr read };
+# Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker).
+allow dex2oat postinstall_file:file read;
+# Allow dex2oat to use libraries under /postinstall/system (e.g. /system/lib/libc.so).
+# TODO(b/120266448): Remove when Bionic libraries are part of the Runtime APEX.
+allow dex2oat postinstall_file:file { execute getattr open };
+
# Allow dex2oat access to /postinstall/apex.
allow dex2oat tmpfs:dir search;