From 5c5d6cd881fc6efe30f4f2226e1e355b67d927a0 Mon Sep 17 00:00:00 2001
From: Andreas Gampe <agampe@google.com>
Date: Tue, 16 Feb 2016 10:38:38 -0800
Subject: [PATCH] dex2oat/patchoat: Add rights for A/B OTA

Give dex2oat/patchoat link rights in /data/ota to produce a patched
image.

Give zygote rights to relabel links. Also give the zygote rights to
unlink, which is required when relabeling fails (to clean up the
dalvik-cache).

Bug: 25612095
Change-Id: I28bfb9cbeabe93b1f68ada9bcaf29f4f60028c2f
---
 dex2oat.te | 6 +++---
 zygote.te  | 7 +++++--
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/dex2oat.te b/dex2oat.te
index 4252b88fa..df3cc4245 100644
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -27,9 +27,9 @@ allow dex2oat otapreopt:fd use;
 allow dex2oat ota_data_file:dir ra_dir_perms;
 allow dex2oat ota_data_file:file r_file_perms;
 
-# Read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images, where
-# the oat file is symlinked to the original file in /system.
-allow dex2oat ota_data_file:lnk_file read;
+# Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images,
+# where the oat file is symlinked to the original file in /system.
+allow dex2oat ota_data_file:lnk_file { create read };
 
 # It would be nice to tie this down, but currently, because of how images are written, we can't
 # pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to
diff --git a/zygote.te b/zygote.te
index 22558048a..013d8c6aa 100644
--- a/zygote.te
+++ b/zygote.te
@@ -96,11 +96,14 @@ r_dir_file(zygote, ota_data_file)
 allow zygote ota_data_file:dir { rw_dir_perms rename reparent };
 
 # And needs to relabel the entries, so as to have the dalvikcache_data_file label.
-allow zygote ota_data_file:{ dir file } relabelfrom;
-allow zygote dalvikcache_data_file:{ dir file } relabelto;
+allow zygote ota_data_file:{ dir file lnk_file } relabelfrom;
+allow zygote dalvikcache_data_file:{ dir file lnk_file } relabelto;
 
 # The zygote also cleans up the now-empty dalvik-cache directory after an OTA.
+# In case something goes wrong in relabelling, we also need to be able to delete the files that
+# have already been moved.
 allow zygote ota_data_file:dir rmdir;
+allow zygote ota_data_file:{ file lnk_file } unlink;
 
 ###
 ### neverallow rules
-- 
GitLab