Sepolicy: Adapt for new A/B OTA flow

(cherry picked from commit d47c1e93) To include target slot names in the naming of A/B OTA artifacts, and new path has been implemented. Instead of passing through the system server and forking off of installd, otapreopt_chroot is now driven directly from the otapreopt script. Change the selinux policy accordingly: allow a transition from postinstall to otapreopt_chroot, and let otapreopt_chroot inherit the file descriptors that update_engine had opened (it will close them immediately, do not give rights to the downstream executables otapreopt and dex2oat). Bug: 25612095 Bug: 28069686 Change-Id: I6b476183572c85e75eda4d52f60e4eb5d8f48dbb

Sepolicy: Adapt for new A/B OTA flow
03daf853 · Andreas Gampe · Jeff Vander Stoep · bff98015 · 03daf853 · 03daf853
Commit 03daf853 authored 8 years ago by Andreas Gampe Committed by Jeff Vander Stoep 8 years ago
--- a/installd.te
+++ b/installd.te
@@ -73,11 +73,6 @@ domain_auto_trans(installd, profman_exec, profman)
 # Run idmap in its own sandbox.
 domain_auto_trans(installd, idmap_exec, idmap)
-# Run otapreopt in its own sandbox.
-domain_auto_trans(installd, otapreopt_chroot_exec, otapreopt_chroot)
-# otapreopt_chroot will transition into postinstall_dexopt, which will spawn a child.
-allow installd postinstall_dexopt:process sigchld;
 # Upgrade from unlabeled userdata.
 # Just need enough to remove and/or relabel it.
 allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };

--- a/otapreopt_chroot.te
+++ b/otapreopt_chroot.te
@@ -10,5 +10,8 @@ allow otapreopt_chroot self:capability { sys_admin sys_chroot };
 # Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
 domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
-# Allow otapreopt to use file descriptors from installd.
+# Allow otapreopt to use file descriptors from update-engine. It will
-allow otapreopt_chroot installd:fd use;
+# close them immediately.
+allow otapreopt_chroot postinstall:fd use;
+allow otapreopt_chroot update_engine:fd use;
+allow otapreopt_chroot update_engine:fifo_file write;
--- a/postinstall.te
+++ b/postinstall.te
@@ -30,6 +30,8 @@ binder_call(postinstall, system_server)
 # Need to talk to the otadexopt service.
 allow postinstall otadexopt_service:service_manager find;
+domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
 # No domain other than update_engine and recovery (via update_engine_sideload)
 # should transition to postinstall, as it is only meant to run during the
 # update.

--- a/postinstall_dexopt.te
+++ b/postinstall_dexopt.te
@@ -47,8 +47,8 @@ selinux_check_access(postinstall_dexopt)
 # We have to manually transition, as we don't have an entrypoint.
 domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
-# installd wants to know about our child.
+# Postinstall wants to know about our child.
-allow postinstall_dexopt installd:process sigchld;
+allow postinstall_dexopt postinstall:process sigchld;
 # Allow otapreopt to use file descriptors from otapreopt_chroot.
 # TODO: Probably we can actually close file descriptors...