Add sepolicy for starting the snapuserd daemon through init.

Restrict access to controlling snapuserd via ctl properties. Allow
update_engine to control snapuserd, and connect/write to its socket.

update_engine needs this access so it can create the appropriate dm-user
device (which sends queries to snapuserd), which is then used to build
the update snapshot.

This also fixes a bug where /dev/dm-user was not properly labelled. As a
result, snapuserd and update_engine have been granted r_dir_perms to
dm_user_device.

Bug: 168554689
Test: full ota with VABC enabled
Change-Id: I1f65ba9f16a83fe3e8ed41a594421939a256aec0
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 4e7d20d..f89f2e2 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -9,6 +9,7 @@
     adbd_config_prop
     apex_info_file
     cgroup_v2
+    ctl_snapuserd_prop
     debugfs_kprobes
     device_config_profcollect_native_boot_prop
     device_state_service
diff --git a/private/file_contexts b/private/file_contexts
index abd9ad0..7f8aef3 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -94,7 +94,7 @@
 /dev/console		u:object_r:console_device:s0
 /dev/cpu_variant:.*     u:object_r:dev_cpu_variant:s0
 /dev/dma_heap/system    u:object_r:dmabuf_system_heap_device:s0
-/dev/dm-user/.+		u:object_r:dm_user_device:s0
+/dev/dm-user(/.*)?	u:object_r:dm_user_device:s0
 /dev/device-mapper	u:object_r:dm_device:s0
 /dev/eac		u:object_r:audio_device:s0
 /dev/event-log-tags     u:object_r:runtime_event_log_tags_file:s0
diff --git a/private/property.te b/private/property.te
index ffd3c51..575785d 100644
--- a/private/property.te
+++ b/private/property.te
@@ -1,5 +1,6 @@
 # Properties used only in /system
 system_internal_prop(adbd_prop)
+system_internal_prop(ctl_snapuserd_prop)
 system_internal_prop(device_config_profcollect_native_boot_prop)
 system_internal_prop(device_config_storage_native_boot_prop)
 system_internal_prop(device_config_sys_traced_prop)
diff --git a/private/property_contexts b/private/property_contexts
index e136dc9..5750acc 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -172,6 +172,11 @@
 # Restrict access to restart dumpstate
 ctl.interface_restart$android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
 
+# Restrict access to control snapuserd
+ctl.start$snapuserd     u:object_r:ctl_snapuserd_prop:s0
+ctl.stop$snapuserd      u:object_r:ctl_snapuserd_prop:s0
+ctl.restart$snapuserd   u:object_r:ctl_snapuserd_prop:s0
+
 # NFC properties
 nfc.                    u:object_r:nfc_prop:s0
 
diff --git a/private/shell.te b/private/shell.te
index 452ee16..0e94cd1 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -127,6 +127,7 @@
 set_prop(shell, traced_perf_enabled_prop)
 # Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
 set_prop(shell, ctl_gsid_prop)
+set_prop(shell, ctl_snapuserd_prop)
 # Allow shell to enable Dynamic System Update
 set_prop(shell, dynamic_system_prop)
 # Allow shell to mock an OTA using persist.pm.mock-upgrade
diff --git a/private/snapuserd.te b/private/snapuserd.te
index 4632240..99ee90f 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -1,4 +1,6 @@
 # snapuserd - Daemon for servicing dm-user requests for Virtual A/B snapshots.
+type snapuserd, domain;
+type snapuserd_exec, exec_type, file_type, system_file_type;
 
 typeattribute snapuserd coredomain;
 
@@ -12,4 +14,5 @@
 allow snapuserd dm_device:blk_file rw_file_perms;
 
 # Reading and writing to dm-user control nodes.
+allow snapuserd dm_user_device:dir r_dir_perms;
 allow snapuserd dm_user_device:chr_file rw_file_perms;
diff --git a/private/update_engine.te b/private/update_engine.te
index a33e675..8e09154 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -9,6 +9,9 @@
 # Allow to start gsid service.
 set_prop(update_engine, ctl_gsid_prop)
 
+# Allow to start snapuserd for dm-user communication.
+set_prop(update_engine, ctl_snapuserd_prop)
+
 # Allow to set the OTA related properties, e.g. ota.warm_reset.
 set_prop(update_engine, ota_prop)
 
@@ -17,3 +20,7 @@
 
 # Allow update_engine to call the callback function provided by GKI update hook.
 binder_call(update_engine, gki_apex_prepostinstall)
+
+# Allow to communicate with the snapuserd service, for dm-user snapshots.
+allow update_engine snapuserd:unix_stream_socket connectto;
+allow update_engine snapuserd_socket:sock_file write;