diff options
| author | 2025-04-01 08:47:20 -0700 | |
|---|---|---|
| committer | 2025-04-09 18:23:32 -0700 | |
| commit | 0436293045838478f1ceaa1b8e854c7bc65f035a (patch) | |
| tree | 02de2aa9879933d7f7f689fec47c41485f66c5ff | |
| parent | 8ade863d94634d2c7b6567e5acdc92654e7a638e (diff) | |
Don't mount vendor-specific files.
Bug: 407472576
Test: ABTD (go/abtd/run/L53200030010825368)
Flag: EXEMPT bugfix
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b1f646e2f33b07b1a603a09b1f6daab817e1df1b)
Merged-In: I3cd54899b6a8de4e127f8552e49b0f380866210c
Change-Id: I3cd54899b6a8de4e127f8552e49b0f380866210c
| -rw-r--r-- | dexopt_chroot_setup/dexopt_chroot_setup.cc | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/dexopt_chroot_setup/dexopt_chroot_setup.cc b/dexopt_chroot_setup/dexopt_chroot_setup.cc index 14d5c60a1e..2e3c9f46d4 100644 --- a/dexopt_chroot_setup/dexopt_chroot_setup.cc +++ b/dexopt_chroot_setup/dexopt_chroot_setup.cc @@ -325,14 +325,24 @@ Result<void> BindMountRecursive(const std::string& source, const std::string& ta // Match paths for the "u:object_r:apk_tmp_file:s0" file context in // system/sepolicy/private/file_contexts. std::regex apk_tmp_file_re(R"re((/data|/mnt/expand/[^/]+)/app/vmdl[^/]+\.tmp(/.*)?)re"); - std::smatch match; - if (std::regex_match(entry.mount_point, match, apk_tmp_file_re)) { + if (std::regex_match(entry.mount_point, apk_tmp_file_re)) { // Don't bother. The mount point is a temporary directory created by Package Manager during // app install. We won't be able to dexopt the app there anyway because it's not in the // Package Manager's snapshot. LOG(INFO) << ART_FORMAT("Skipped temporary mount point '{}'", entry.mount_point); continue; } + + std::regex vendor_file_re(R"re(/data/vendor(/.*)?)re"); + if (std::regex_match(entry.mount_point, vendor_file_re)) { + // We can't reliably bind-mount vendor-specific files because those files can have + // vendor-specific SELinux file contexts, which by design cannot be referenced by + // `dexopt_chroot_setup.te`. In practice, we don't need to bind-mount those files because + // they are unlikely to contain things useful to us. + LOG(INFO) << ART_FORMAT("Skipped vendor mount point '{}'", entry.mount_point); + continue; + } + return result; } } |