Merge changes from topics "runtime-apex-otapreopt_chroot-tear-down", "runtime-apex-installd-support", "runtime-apex-otapreopt_chroot-support"
* changes:
Allow `oatpreopt_chroot` to deactivate APEX packages in `/postinstall/apex`.
Allow `oatpreopt` to run `dex2oat` from the Runtime APEX.
Allow `otapreopt_chroot` to mount APEX packages using `apexd` logic.
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index 1f69931..8f3d797 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -2,3 +2,33 @@
# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
+
+# Allow otapreopt_chroot to create loop devices with /dev/loop-control.
+allow otapreopt_chroot loop_control_device:chr_file rw_file_perms;
+# Allow otapreopt_chroot to access loop devices.
+allow otapreopt_chroot loop_device:blk_file rw_file_perms;
+allowxperm otapreopt_chroot loop_device:blk_file ioctl {
+ LOOP_GET_STATUS64
+ LOOP_SET_STATUS64
+ LOOP_SET_FD
+ LOOP_SET_BLOCK_SIZE
+ LOOP_SET_DIRECT_IO
+ LOOP_CLR_FD
+ BLKFLSBUF
+};
+
+# Allow otapreopt_chroot to configure read-ahead of loop devices.
+allow otapreopt_chroot sysfs_loop:dir r_dir_perms;
+allow otapreopt_chroot sysfs_loop:file rw_file_perms;
+
+# Allow otapreopt_chroot to mount a tmpfs filesystem in /postinstall/apex.
+allow otapreopt_chroot tmpfs:filesystem mount;
+# Allow otapreopt_chroot to manipulate the tmpfs filesystem mounted in /postinstall/apex.
+allow otapreopt_chroot tmpfs:dir create_dir_perms;
+# Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
+allow otapreopt_chroot tmpfs:dir mounton;
+
+# Allow otapreopt_chroot to unmount APEX packages (ext4 images) mounted in /postinstall/apex.
+allow otapreopt_chroot labeledfs:filesystem unmount;
+# Allow otapreopt_chroot to access /dev/block.
+allow otapreopt_chroot block_device:dir r_dir_perms;
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index ff5fe87..f237817 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -2,4 +2,4 @@
# Run dex2oat/patchoat in its own sandbox.
# We have to manually transition, as we don't have an entrypoint.
-domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
+domain_auto_trans(postinstall_dexopt, dex2oat_exec, dex2oat)
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 0a046c6..7ae1b34 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -46,6 +46,15 @@
allow dex2oat postinstall_file:filesystem getattr;
allow dex2oat postinstall_file:lnk_file { getattr read };
+# Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker).
+allow dex2oat postinstall_file:file read;
+# Allow dex2oat to use libraries under /postinstall/system (e.g. /system/lib/libc.so).
+# TODO(b/120266448): Remove when Bionic libraries are part of the Runtime APEX.
+allow dex2oat postinstall_file:file { execute getattr open };
+
+# Allow dex2oat access to /postinstall/apex.
+allow dex2oat tmpfs:dir search;
+
# Allow dex2oat access to files in /data/ota.
allow dex2oat ota_data_file:dir ra_dir_perms;
allow dex2oat ota_data_file:file r_file_perms;
diff --git a/public/kernel.te b/public/kernel.te
index 50e72c2..3ffb5ce 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -88,6 +88,12 @@
allow kernel apex_data_file:file read;
allow kernel staging_data_file:file read;
+# Likewise, allow the kernel to read otapreopt_chroot's file descriptors and
+# files under /postinstall, as it uses apexd logic to mount APEX packages in
+# /postinstall/apex.
+allow kernel otapreopt_chroot:fd use;
+allow kernel postinstall_file:file read;
+
# Allow the first-stage init (which is running in the kernel domain) to execute the
# dynamic linker when it re-executes /init to switch into the second stage.
# Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed
diff --git a/public/otapreopt_chroot.te b/public/otapreopt_chroot.te
index 902708b..d815d1d 100644
--- a/public/otapreopt_chroot.te
+++ b/public/otapreopt_chroot.te
@@ -13,6 +13,14 @@
# Mounting /vendor can have this side-effect. Ignore denial.
dontaudit otapreopt_chroot kernel:process setsched;
+# Allow otapreopt_chroot to read SELinux policy files.
+allow otapreopt_chroot file_contexts_file:file r_file_perms;
+
+# Allow otapreopt_chroot to open and read the contents of /postinstall/system/apex.
+allow otapreopt_chroot postinstall_file:dir r_dir_perms;
+# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property.
+get_prop(otapreopt_chroot, apexd_prop)
+
# Allow otapreopt to use file descriptors from update-engine. It will
# close them immediately.
allow otapreopt_chroot postinstall:fd use;
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index 0ccd168..46a02dd 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -13,6 +13,9 @@
allow postinstall_dexopt proc_filesystems:file { getattr open read };
allow postinstall_dexopt tmpfs:file read;
+# Read data from /postinstall/apex.
+allow postinstall_dexopt tmpfs:dir { read search };
+
# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
# here and having to relabel the directory.