From c83614b632046b3ce268cdecdf1809d046253515 Mon Sep 17 00:00:00 2001
From: Andreas Gampe <agampe@google.com>
Date: Tue, 1 Mar 2016 08:45:33 -0800
Subject: [PATCH] Sepolicy: Give Otapreopt right to write A/B artifacts in
 /data

For apps installed /data (vs the system image), Otapreopt puts
A/B artifacts alongside the regular oat location with a "b" suffix.

Give Otapreopt the right to create and write such files.

Bug: 25612095
Change-Id: Idf3f0959816f49407036cea9b8e684b26c510e80
---
 otapreopt.te | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/otapreopt.te b/otapreopt.te
index bb90eafcd..0eada985b 100644
--- a/otapreopt.te
+++ b/otapreopt.te
@@ -8,11 +8,21 @@ allow otapreopt self:capability { chown dac_override fowner fsetid setgid setuid
 # Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
 # here and having to relabel the directory.
 
+# Read app data (APKs) as input to dex2oat.
+r_dir_file(otapreopt, apk_data_file)
+# Access to app oat directory.
+r_dir_file(otapreopt, dalvikcache_data_file)
+
 # Write to /data/ota(/*). Create symlinks in /data/ota(/*)
 allow otapreopt ota_data_file:dir create_dir_perms;
 allow otapreopt ota_data_file:file create_file_perms;
 allow otapreopt ota_data_file:lnk_file create_file_perms;
 
+# Need to write .b files, which are dalvikcache_data_file, not ota_data_file.
+# TODO: See whether we can apply ota_data_file?
+allow otapreopt dalvikcache_data_file:dir { write add_name remove_name };
+allow otapreopt dalvikcache_data_file:file create_file_perms;
+
 # Allow labeling of files under /data/app/com.example/oat/
 # TODO: Restrict to .b suffix?
 allow otapreopt dalvikcache_data_file:dir relabelto;
-- 
GitLab