Add sepolicy for starting the snapuserd daemon through init. Restrict access to controlling snapuserd via ctl properties. Allow update_engine to control snapuserd, and connect/write to its socket. update_engine needs this access so it can create the appropriate dm-user device (which sends queries to snapuserd), which is then used to build the update snapshot. This also fixes a bug where /dev/dm-user was not properly labelled. As a result, snapuserd and update_engine have been granted r_dir_perms to dm_user_device. Bug: 168554689 Test: full ota with VABC enabled Change-Id: I1f65ba9f16a83fe3e8ed41a594421939a256aec0

commit: 09bb944221a1e3adeed14eb110895fca2f9b347d [log] [tgz]
author: David Anderson <dvander@google.com> Fri Nov 13 00:45:59 2020 -0800
committer: David Anderson <dvander@google.com> Thu Nov 19 21:03:30 2020 +0000
tree: 95baab6523c956c31e448067f7535bfeb392010b
parent: 5d6020d9f5a60e92a8ec7109344145f3d4ab533d [diff] [blame]
diff --git a/private/shell.te b/private/shell.te
index 452ee16..0e94cd1 100644
--- a/private/shell.te
+++ b/private/shell.te

@@ -127,6 +127,7 @@
 set_prop(shell, traced_perf_enabled_prop)
 # Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
 set_prop(shell, ctl_gsid_prop)
+set_prop(shell, ctl_snapuserd_prop)
 # Allow shell to enable Dynamic System Update
 set_prop(shell, dynamic_system_prop)
 # Allow shell to mock an OTA using persist.pm.mock-upgrade
commit	09bb944221a1e3adeed14eb110895fca2f9b347d	[log] [tgz]
author	David Anderson <dvander@google.com>	Fri Nov 13 00:45:59 2020 -0800
committer	David Anderson <dvander@google.com>	Thu Nov 19 21:03:30 2020 +0000
tree	95baab6523c956c31e448067f7535bfeb392010b
parent	5d6020d9f5a60e92a8ec7109344145f3d4ab533d [diff] [blame]