Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / ae127d8340291640c7fbad99219560b0ca21ccd9^! / .
commitae127d8340291640c7fbad99219560b0ca21ccd9[log] [tgz]
authorAndreas Gampe <agampe@google.com>Thu Feb 07 16:26:00 2019 -0800
committerAndreas Gampe <agampe@google.com>Thu Feb 28 05:12:56 2019 -0800
treef923176dcba7d7359aca042e1af22e86b8ba41b4
parent83f65ebbb29f9ca85f6a22ed26b7364743d612cf [diff]
Sepolicy: Add base runtime APEX preinstall policies

Add art_apex_preinstall domain that is allowed to create AoT
artifacts in /data/ota.

Bug: 125474642
Test: m
Change-Id: Ia091d8df34c4be4f84c2052d3c333a0e36bcb036

diff --git a/apex/com.android.runtime.debug-file_contexts b/apex/com.android.runtime.debug-file_contexts
index 507d665..059b52a 100644
--- a/apex/com.android.runtime.debug-file_contexts
+++ b/apex/com.android.runtime.debug-file_contexts

@@ -1,10 +1,11 @@
 #############################
 # System files
 #
-(/.*)?                   u:object_r:system_file:s0
-/bin/dex2oat(d)?         u:object_r:dex2oat_exec:s0
-/bin/dexoptanalyzer(d)?  u:object_r:dexoptanalyzer_exec:s0
-/bin/profman(d)?         u:object_r:profman_exec:s0
-/bin/linker(64)?         u:object_r:system_linker_exec:s0
-/lib(64)?(/.*)?          u:object_r:system_lib_file:s0
-/etc/tz(/.*)?            u:object_r:system_zoneinfo_file:s0
+(/.*)?                        u:object_r:system_file:s0
+/bin/dex2oat(d)?              u:object_r:dex2oat_exec:s0
+/bin/dexoptanalyzer(d)?       u:object_r:dexoptanalyzer_exec:s0
+/bin/profman(d)?              u:object_r:profman_exec:s0
+/bin/linker(64)?              u:object_r:system_linker_exec:s0
+/lib(64)?(/.*)?               u:object_r:system_lib_file:s0
+/etc/tz(/.*)?                 u:object_r:system_zoneinfo_file:s0
+/bin/art_preinstall_hook(.*)? u:object_r:art_apex_preinstall_exec:s0

diff --git a/private/apexd.te b/private/apexd.te
index 7647169..31b66f5 100644
--- a/private/apexd.te
+++ b/private/apexd.te

@@ -76,6 +76,10 @@
 # Allow apexd to log to the kernel.
 allow apexd kmsg_device:chr_file w_file_perms;
 
+# Allow apexd to reboot device. Required for rollbacks of apexes that are
+# not covered by rollback manager.
+set_prop(apexd, powerctl_prop)
+
 # Apex pre- & post-install permission.
 
 # Allow self-execute for the fork mount helper.
@@ -89,9 +93,8 @@
 # rule is required, thus restricted to execute and not execute_no_trans.
 allow apexd shell_exec:file { r_file_perms execute };
 
-# Allow apexd to reboot device. Required for rollbacks of apexes that are
-# not covered by rollback manager.
-set_prop(apexd, powerctl_prop)
+# Allow transition to ART APEX preinstall domain.
+domain_auto_trans(apexd, art_apex_preinstall_exec, art_apex_preinstall)
 
 # Allow transition to test APEX preinstall domain.
 userdebug_or_eng(`

diff --git a/private/art_apex_preinstall.te b/private/art_apex_preinstall.te
new file mode 100644
index 0000000..438340b
--- /dev/null
+++ b/private/art_apex_preinstall.te

@@ -0,0 +1,26 @@
+# ART APEX preinstall.
+#
+
+type art_apex_preinstall, domain, coredomain;
+type art_apex_preinstall_exec, system_file_type, exec_type, file_type;
+
+# /dev/zero
+allow art_apex_preinstall apexd:fd use;
+
+# Create temp dirs and files under /data/ota.
+allow art_apex_preinstall ota_data_file:dir create_dir_perms;
+allow art_apex_preinstall ota_data_file:file create_file_perms;
+# We mount /data/ota/dalvik-cache over /data/dalvik-cache in our
+# mount namespace.
+allow art_apex_preinstall dalvikcache_data_file:dir { r_dir_perms mounton };
+allow art_apex_preinstall self:capability sys_admin;
+
+# Script helpers.
+allow art_apex_preinstall shell_exec:file rx_file_perms;
+allow art_apex_preinstall toolbox_exec:file rx_file_perms;
+
+# Execute subscripts in the same domain.
+allow art_apex_preinstall art_apex_preinstall_exec:file execute_no_trans;
+
+# Run dex2oat.
+domain_auto_trans(art_apex_preinstall, dex2oat_exec, dex2oat)

diff --git a/private/dex2oat.te b/private/dex2oat.te
index c529d11..47c78a0 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te

@@ -68,6 +68,16 @@
 # create them itself (and make them world-readable).
 allow dex2oat ota_data_file:file { create w_file_perms setattr };
 
+###############
+# APEX Update #
+###############
+
+# /dev/zero is inherited.
+allow dex2oat apexd:fd use;
+
+# Allow dex2oat to use file descriptors from preinstall.
+allow dex2oat art_apex_preinstall:fd use;
+
 ##############
 # Neverallow #
 ##############