Sepolicy: Give zygote rights needed for A/B OTAs

The zygote is reponsible for moving ART A/B OTA artifacts over to the regular dalvik-cache. Bug: 25612095 Change-Id: I838d9ec6ee5a0f0af5f379a4696abda69cea51ca

Sepolicy: Give zygote rights needed for A/B OTAs
f4bd8b30 · Andreas Gampe · 66855fca · f4bd8b30
Commit f4bd8b30 authored 9 years ago by Andreas Gampe
--- a/zygote.te
+++ b/zygote.te
@@ -80,6 +80,28 @@ userdebug_or_eng(`
  allow zygote method_trace_data_file:file { create w_file_perms };
 ')

+###
+### A/B OTA
+###
+
+# The zygote is responsible for detecting A/B OTA artifacts and moving them into
+# the actual dalvik-cache.
+
+# Allow zygote access to files in /data/ota.
+# This includes reading symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot
+# images, where the oat file is symlinked to the original file in /system.
+r_dir_file(zygote, ota_data_file)
+
+# The zygote renames the OTA dalvik-cache to the regular dalvik-cache.
+allow zygote ota_data_file:dir { rw_dir_perms rename reparent };
+
+# And needs to relabel the entries, so as to have the dalvikcache_data_file label.
+allow zygote ota_data_file:{ dir file } relabelfrom;
+allow zygote dalvikcache_data_file:{ dir file } relabelto;
+
+# The zygote also cleans up the now-empty dalvik-cache directory after an OTA.
+allow zygote ota_data_file:dir rmdir;
+
 ###
 ### neverallow rules
 ###