Merge "Sepolicy: Give zygote rights needed for A/B OTAs" into nyc-dev

816448d8 · Andreas Gampe · Android (Google) Code Review · cdab09c7 · f4bd8b30 · 816448d8
Commit 816448d8 authored 9 years ago by Andreas Gampe Committed by Android (Google) Code Review 9 years ago
--- a/zygote.te
+++ b/zygote.te
@@ -80,6 +80,28 @@ userdebug_or_eng(`
  allow zygote method_trace_data_file:file { create w_file_perms };
 ')

+###
+### A/B OTA
+###
+
+# The zygote is responsible for detecting A/B OTA artifacts and moving them into
+# the actual dalvik-cache.
+
+# Allow zygote access to files in /data/ota.
+# This includes reading symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot
+# images, where the oat file is symlinked to the original file in /system.
+r_dir_file(zygote, ota_data_file)
+
+# The zygote renames the OTA dalvik-cache to the regular dalvik-cache.
+allow zygote ota_data_file:dir { rw_dir_perms rename reparent };
+
+# And needs to relabel the entries, so as to have the dalvikcache_data_file label.
+allow zygote ota_data_file:{ dir file } relabelfrom;
+allow zygote dalvikcache_data_file:{ dir file } relabelto;
+
+# The zygote also cleans up the now-empty dalvik-cache directory after an OTA.
+allow zygote ota_data_file:dir rmdir;
+
 ###
 ### neverallow rules
 ###