Don't use apexd when TARGET_FLATTEN_APEX == true
/system/apex/com.android.runtime is labeled as runtime_apex_dir
and init is allowed to mount on it.
When TARGET_FLATTEN_APEX is true (= ro.apex.updatable is unset or set to
false), apexd is not used to activate the built-in flattened APEXes.
Init simply bind-mounts /system/apex to /apex.
However, there is a special case here. The runtime APEX is installed as
either /system/apex/com.android.runtime.debug or
/system/apex/com.android.runtime.release, whereas it should be activated
on /apex/com.android.runtime - without the .debug or .release suffix.
To handle that case, the build system creates an empty directory
/system/apex/com.android.runtime and the .debug or .release directory
is bind-mounted to the empty directory by init at runtime.
Bug: 132413565
Test: marlin is bootable
Merged-In: I3fde5ff831429723fecd1fa5c10e44f636a63f09
Change-Id: I3fde5ff831429723fecd1fa5c10e44f636a63f09
(cherry picked from commit 99902a175b62d242a40ab7957b284f667a03b424)
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 3c6ba08..293d97d 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -136,6 +136,7 @@
recovery_socket
role_service
runas_app
+ runtime_apex_dir
runtime_service
secure_element
secure_element_device
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 3b9bd52..fbc241a 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -123,6 +123,7 @@
recovery_socket
role_service
runas_app
+ runtime_apex_dir
runtime_service
secure_element
secure_element_device
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index b7466ac..e841832 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -113,6 +113,7 @@
rss_hwm_reset_exec
runas_app
runas_app_tmpfs
+ runtime_apex_dir
runtime_service
sdcard_block_device
sensor_privacy_service
diff --git a/private/file_contexts b/private/file_contexts
index dab1026..2f41e06 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -180,6 +180,7 @@
# System files
#
/system(/.*)? u:object_r:system_file:s0
+/system/apex/com.android.runtime u:object_r:runtime_apex_dir:s0
/system/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/system/lib(64)?/bootstrap(/.*)? u:object_r:system_bootstrap_lib_file:s0
/system/bin/atrace u:object_r:atrace_exec:s0
diff --git a/public/file.te b/public/file.te
index 6f27ec4..ea9b961 100644
--- a/public/file.te
+++ b/public/file.te
@@ -172,6 +172,8 @@
type task_profiles_file, system_file_type, file_type;
# Vendor task profiles file under /vendor/etc/task_profiles.json
type vendor_task_profiles_file, vendor_file_type, file_type;
+# Type for /system/apex/com.android.runtime
+type runtime_apex_dir, system_file_type, file_type;
# Default type for directories search for
# HAL implementations
diff --git a/public/init.te b/public/init.te
index adeaeb0..55adaaa 100644
--- a/public/init.te
+++ b/public/init.te
@@ -92,6 +92,9 @@
# Mount tmpfs on /apex
allow init apex_mnt_dir:dir mounton;
+# Bind-mount on /system/apex/com.android.runtime
+allow init runtime_apex_dir:dir mounton;
+
# Create and remove symlinks in /.
allow init rootfs:lnk_file { create unlink };