Merge "SELinux policy for new managed system update APIs"

commit: 017c1ac1edab8c9104a87e4c928a7e35ad731be6 [log] [tgz]
author: Treehugger Robot <treehugger-gerrit@google.com> Fri Nov 23 11:33:00 2018 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Fri Nov 23 11:33:00 2018 +0000
tree: 127c1121e7ab3294b423fa037f73e8caf85dcfd6
parent: d1b18a797e994f64477b9edac3b71ca37d0d1a6a [diff]
parent: bffe163b13c5abfe493b4432807d8f64827a93cd [diff]
diff --git a/public/postinstall.te b/public/postinstall.te
index 7fd4dc6..2ef68bd 100644
--- a/public/postinstall.te
+++ b/public/postinstall.te

@@ -19,6 +19,11 @@
 allow postinstall system_file:file rx_file_perms;
 allow postinstall toolbox_exec:file rx_file_perms;
 
+# Allow postinstall to execute shell in recovery.
+recovery_only(`
+  allow postinstall rootfs:file rx_file_perms;
+')
+
 #
 # For OTA dexopt.
 #

diff --git a/public/recovery.te b/public/recovery.te
index 9db6f5e..6cb391c 100644
--- a/public/recovery.te
+++ b/public/recovery.te

@@ -76,6 +76,7 @@
   # Access /dev/usb-ffs/adb/ep0
   allow recovery functionfs:dir search;
   allow recovery functionfs:file rw_file_perms;
+  allowxperm recovery functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC;
 
   # Access to /sys/fs/selinux/policyvers for compatibility check
   allow recovery selinuxfs:file r_file_perms;
commit	017c1ac1edab8c9104a87e4c928a7e35ad731be6	[log] [tgz]
author	Treehugger Robot <treehugger-gerrit@google.com>	Fri Nov 23 11:33:00 2018 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Fri Nov 23 11:33:00 2018 +0000
tree	127c1121e7ab3294b423fa037f73e8caf85dcfd6
parent	d1b18a797e994f64477b9edac3b71ca37d0d1a6a [diff]
parent	bffe163b13c5abfe493b4432807d8f64827a93cd [diff]