1*e4a36f41SAndroid Build Coastguard Worker# otapreopt_chroot executable 2*e4a36f41SAndroid Build Coastguard Workerstarting_at_board_api(202504, `type otapreopt_chroot, domain;') 3*e4a36f41SAndroid Build Coastguard Workertypeattribute otapreopt_chroot coredomain; 4*e4a36f41SAndroid Build Coastguard Workertype otapreopt_chroot_exec, exec_type, file_type, system_file_type; 5*e4a36f41SAndroid Build Coastguard Worker 6*e4a36f41SAndroid Build Coastguard Worker# Chroot preparation and execution. 7*e4a36f41SAndroid Build Coastguard Worker# We need to create an unshared mount namespace, and then mount /data. 8*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot postinstall_file:dir { search mounton }; 9*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot apex_mnt_dir:dir mounton; 10*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot device:dir mounton; 11*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot linkerconfig_file:dir mounton; 12*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot rootfs:dir mounton; 13*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot sysfs:dir mounton; 14*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot system_data_root_file:dir mounton; 15*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot system_file:dir mounton; 16*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot vendor_file:dir mounton; 17*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot }; 18*e4a36f41SAndroid Build Coastguard Worker 19*e4a36f41SAndroid Build Coastguard Worker# This is required to mount /vendor and mount/unmount ext4 images from 20*e4a36f41SAndroid Build Coastguard Worker# APEX packages in /postinstall/apex. 21*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot block_device:dir search; 22*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot labeledfs:filesystem { mount unmount }; 23*e4a36f41SAndroid Build Coastguard Worker# This is required for dynamic partitions. 24*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot dm_device:chr_file rw_file_perms; 25*e4a36f41SAndroid Build Coastguard Worker 26*e4a36f41SAndroid Build Coastguard Worker# This is required to unmount flattened APEX packages under 27*e4a36f41SAndroid Build Coastguard Worker# /postinstall/system/apex (which are bind-mounted in /postinstall/apex). 28*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot postinstall_file:filesystem unmount; 29*e4a36f41SAndroid Build Coastguard Worker# Mounting /vendor can have this side-effect. Ignore denial. 30*e4a36f41SAndroid Build Coastguard Workerdontaudit otapreopt_chroot kernel:process setsched; 31*e4a36f41SAndroid Build Coastguard Worker 32*e4a36f41SAndroid Build Coastguard Worker# Allow otapreopt_chroot to read SELinux policy files. 33*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot file_contexts_file:file r_file_perms; 34*e4a36f41SAndroid Build Coastguard Worker 35*e4a36f41SAndroid Build Coastguard Worker# Allow otapreopt_chroot to open and read the contents of /postinstall/system/apex. 36*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot postinstall_file:dir r_dir_perms; 37*e4a36f41SAndroid Build Coastguard Worker# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property. 38*e4a36f41SAndroid Build Coastguard Workerget_prop(otapreopt_chroot, apexd_prop) 39*e4a36f41SAndroid Build Coastguard Worker 40*e4a36f41SAndroid Build Coastguard Worker# Allow otapreopt to use file descriptors from update-engine and the postinstall 41*e4a36f41SAndroid Build Coastguard Worker# script. It will read dexopt commands from stdin and write progress to stdout. 42*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot postinstall:fd use; 43*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot postinstall:fifo_file { read write getattr }; 44*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot update_engine:fd use; 45*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot update_engine:fifo_file write; 46*e4a36f41SAndroid Build Coastguard Worker 47*e4a36f41SAndroid Build Coastguard Worker# Allow to transition to postinstall_dexopt, to run otapreopt in its own sandbox. 48*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(otapreopt_chroot, postinstall_dexopt_exec, postinstall_dexopt) 49*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(otapreopt_chroot, linkerconfig_exec, linkerconfig) 50*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(otapreopt_chroot, apexd_exec, apexd) 51*e4a36f41SAndroid Build Coastguard Worker 52*e4a36f41SAndroid Build Coastguard Worker# Allow otapreopt_chroot to control linkerconfig 53*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot linkerconfig_file:dir { create_dir_perms relabelto }; 54*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot linkerconfig_file:file create_file_perms; 55*e4a36f41SAndroid Build Coastguard Worker 56*e4a36f41SAndroid Build Coastguard Worker# Allow otapreopt_chroot to create loop devices with /dev/loop-control. 57*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot loop_control_device:chr_file rw_file_perms; 58*e4a36f41SAndroid Build Coastguard Worker# Allow otapreopt_chroot to access loop devices. 59*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot loop_device:blk_file rw_file_perms; 60*e4a36f41SAndroid Build Coastguard Workerallowxperm otapreopt_chroot loop_device:blk_file ioctl { 61*e4a36f41SAndroid Build Coastguard Worker LOOP_CONFIGURE 62*e4a36f41SAndroid Build Coastguard Worker LOOP_GET_STATUS64 63*e4a36f41SAndroid Build Coastguard Worker LOOP_SET_STATUS64 64*e4a36f41SAndroid Build Coastguard Worker LOOP_SET_FD 65*e4a36f41SAndroid Build Coastguard Worker LOOP_SET_BLOCK_SIZE 66*e4a36f41SAndroid Build Coastguard Worker LOOP_SET_DIRECT_IO 67*e4a36f41SAndroid Build Coastguard Worker LOOP_CLR_FD 68*e4a36f41SAndroid Build Coastguard Worker BLKFLSBUF 69*e4a36f41SAndroid Build Coastguard Worker}; 70*e4a36f41SAndroid Build Coastguard Worker 71*e4a36f41SAndroid Build Coastguard Worker# Allow otapreopt_chroot to configure read-ahead of loop devices. 72*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot sysfs_loop:dir r_dir_perms; 73*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot sysfs_loop:file rw_file_perms; 74*e4a36f41SAndroid Build Coastguard Worker 75*e4a36f41SAndroid Build Coastguard Worker# Allow otapreopt_chroot to mount a tmpfs filesystem in /postinstall/apex. 76*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot tmpfs:filesystem mount; 77*e4a36f41SAndroid Build Coastguard Worker# Allow otapreopt_chroot to restore the security context of /postinstall/apex. 78*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot tmpfs:dir relabelfrom; 79*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot postinstall_apex_mnt_dir:dir relabelto; 80*e4a36f41SAndroid Build Coastguard Worker 81*e4a36f41SAndroid Build Coastguard Worker# Allow otapreopt_chroot to manipulate directory /postinstall/apex. 82*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot postinstall_apex_mnt_dir:dir create_dir_perms; 83*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot postinstall_apex_mnt_dir:file create_file_perms; 84*e4a36f41SAndroid Build Coastguard Worker# Allow otapreopt_chroot to mount APEX packages in /postinstall/apex. 85*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot postinstall_apex_mnt_dir:dir mounton; 86*e4a36f41SAndroid Build Coastguard Worker 87*e4a36f41SAndroid Build Coastguard Worker# Allow otapreopt_chroot to access /dev/block (needed to detach loop 88*e4a36f41SAndroid Build Coastguard Worker# devices used by ext4 images from APEX packages). 89*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot block_device:dir r_dir_perms; 90*e4a36f41SAndroid Build Coastguard Worker 91*e4a36f41SAndroid Build Coastguard Worker# Allow to access the linker through the symlink. 92*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot postinstall_file:lnk_file r_file_perms; 93*e4a36f41SAndroid Build Coastguard Worker 94*e4a36f41SAndroid Build Coastguard Worker# Allow otapreopt_chroot to read ro.cold_boot_done prop. 95*e4a36f41SAndroid Build Coastguard Worker# This is a temporary solution to make sure that otapreopt_chroot doesn't block indefinetelly. 96*e4a36f41SAndroid Build Coastguard Worker# TODO(b/165948777): remove this once otapreopt_chroot is migrated to libapexmount. 97*e4a36f41SAndroid Build Coastguard Workerget_prop(otapreopt_chroot, cold_boot_done_prop) 98*e4a36f41SAndroid Build Coastguard Worker 99*e4a36f41SAndroid Build Coastguard Worker# allow otapreopt_chroot to run the linkerconfig from the new image. 100*e4a36f41SAndroid Build Coastguard Workerallow otapreopt_chroot linkerconfig_exec:file rx_file_perms; 101