From f4bd8b30e3235308cbb7d1f7446ffca5f625c8eb Mon Sep 17 00:00:00 2001
From: Andreas Gampe <agampe@google.com>
Date: Mon, 8 Feb 2016 17:39:47 -0800
Subject: [PATCH] Sepolicy: Give zygote rights needed for A/B OTAs

The zygote is reponsible for moving ART A/B OTA artifacts over to
the regular dalvik-cache.

Bug: 25612095
Change-Id: I838d9ec6ee5a0f0af5f379a4696abda69cea51ca
---
 zygote.te | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/zygote.te b/zygote.te
index 67fd621c0..22558048a 100644
--- a/zygote.te
+++ b/zygote.te
@@ -80,6 +80,28 @@ userdebug_or_eng(`
   allow zygote method_trace_data_file:file { create w_file_perms };
 ')
 
+###
+### A/B OTA
+###
+
+# The zygote is responsible for detecting A/B OTA artifacts and moving them into
+# the actual dalvik-cache.
+
+# Allow zygote access to files in /data/ota.
+# This includes reading symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot
+# images, where the oat file is symlinked to the original file in /system.
+r_dir_file(zygote, ota_data_file)
+
+# The zygote renames the OTA dalvik-cache to the regular dalvik-cache.
+allow zygote ota_data_file:dir { rw_dir_perms rename reparent };
+
+# And needs to relabel the entries, so as to have the dalvikcache_data_file label.
+allow zygote ota_data_file:{ dir file } relabelfrom;
+allow zygote dalvikcache_data_file:{ dir file } relabelto;
+
+# The zygote also cleans up the now-empty dalvik-cache directory after an OTA.
+allow zygote ota_data_file:dir rmdir;
+
 ###
 ### neverallow rules
 ###
-- 
GitLab