Add sepolicy for starting the snapuserd daemon through init. Restrict access to controlling snapuserd via ctl properties. Allow update_engine to control snapuserd, and connect/write to its socket. update_engine needs this access so it can create the appropriate dm-user device (which sends queries to snapuserd), which is then used to build the update snapshot. This also fixes a bug where /dev/dm-user was not properly labelled. As a result, snapuserd and update_engine have been granted r_dir_perms to dm_user_device. Bug: 168554689 Test: full ota with VABC enabled Change-Id: I1f65ba9f16a83fe3e8ed41a594421939a256aec0

commit: 09bb944221a1e3adeed14eb110895fca2f9b347d [log] [tgz]
author: David Anderson <dvander@google.com> Fri Nov 13 00:45:59 2020 -0800
committer: David Anderson <dvander@google.com> Thu Nov 19 21:03:30 2020 +0000
tree: 95baab6523c956c31e448067f7535bfeb392010b
parent: 5d6020d9f5a60e92a8ec7109344145f3d4ab533d [diff] [blame]
diff --git a/private/property.te b/private/property.te
index ffd3c51..575785d 100644
--- a/private/property.te
+++ b/private/property.te

@@ -1,5 +1,6 @@
 # Properties used only in /system
 system_internal_prop(adbd_prop)
+system_internal_prop(ctl_snapuserd_prop)
 system_internal_prop(device_config_profcollect_native_boot_prop)
 system_internal_prop(device_config_storage_native_boot_prop)
 system_internal_prop(device_config_sys_traced_prop)
commit	09bb944221a1e3adeed14eb110895fca2f9b347d	[log] [tgz]
author	David Anderson <dvander@google.com>	Fri Nov 13 00:45:59 2020 -0800
committer	David Anderson <dvander@google.com>	Thu Nov 19 21:03:30 2020 +0000
tree	95baab6523c956c31e448067f7535bfeb392010b
parent	5d6020d9f5a60e92a8ec7109344145f3d4ab533d [diff] [blame]