dex2oat/patchoat: Add rights for A/B OTA

Give dex2oat/patchoat link rights in /data/ota to produce a patched
image.

Give zygote rights to relabel links. Also give the zygote rights to
unlink, which is required when relabeling fails (to clean up the
dalvik-cache).

Bug: 25612095
Change-Id: I28bfb9cbeabe93b1f68ada9bcaf29f4f60028c2f

dex2oat.te

@@ -27,9 +27,9 @@ allow dex2oat otapreopt:fd use;
 allow dex2oat ota_data_file:dir ra_dir_perms;
 allow dex2oat ota_data_file:file r_file_perms;
 
-# Read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images, where
-# the oat file is symlinked to the original file in /system.
-allow dex2oat ota_data_file:lnk_file read;
+# Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images,
+# where the oat file is symlinked to the original file in /system.
+allow dex2oat ota_data_file:lnk_file { create read };
 
 # It would be nice to tie this down, but currently, because of how images are written, we can't
 # pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to

zygote.te

@@ -96,11 +96,14 @@ r_dir_file(zygote, ota_data_file)
 allow zygote ota_data_file:dir { rw_dir_perms rename reparent };
 
 # And needs to relabel the entries, so as to have the dalvikcache_data_file label.
-allow zygote ota_data_file:{ dir file } relabelfrom;
-allow zygote dalvikcache_data_file:{ dir file } relabelto;
+allow zygote ota_data_file:{ dir file lnk_file } relabelfrom;
+allow zygote dalvikcache_data_file:{ dir file lnk_file } relabelto;
 
 # The zygote also cleans up the now-empty dalvik-cache directory after an OTA.
+# In case something goes wrong in relabelling, we also need to be able to delete the files that
+# have already been moved.
 allow zygote ota_data_file:dir rmdir;
+allow zygote ota_data_file:{ file lnk_file } unlink;
 
 ###
 ### neverallow rules