init: Allow interacting with snapuserd and libsnapshot.
During first-stage init we spawn a daemon (snapuserd) to interact with
the dm-user kernel module. Immediately after sepolicy is loaded, we
launch the daemon again with the correct privileges, and kill the
original one.
In order for init to do this, it needs to be able to open and write to
the snapuserd socket (which is corrected to the "correct" daemon), as
well as call flock() on /metadata/ota which is how libsnapshot ensures
exclusive access to Virtual A/B snapshots.
Bug: 168259959
Test: no denials with Virtual A/B Compression enabled
Change-Id: Ic7fc78ca1a17673b878766e0f4dfe0265c1be768
diff --git a/private/init.te b/private/init.te
index 1f7ce25..02d45a1 100644
--- a/private/init.te
+++ b/private/init.te
@@ -55,6 +55,13 @@
neverallow init self:perf_event { kernel tracepoint read write };
dontaudit init self:perf_event { kernel tracepoint read write };
+# Allow init to communicate with snapuserd to transition Virtual A/B devices
+# from the first-stage daemon to the second-stage.
+allow init snapuserd_socket:sock_file write;
+allow init snapuserd:unix_stream_socket connectto;
+# Allow for libsnapshot's use of flock() on /metadata/ota.
+allow init ota_metadata_file:dir lock;
+
# Only init is allowed to set the sysprop indicating whether perf_event_open()
# SELinux hooks were detected.
set_prop(init, init_perf_lsm_hooks_prop)