Merge "Add sepolicy for dm-user devices and the snapuserd daemon."
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 5cd658b..7041276 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -12,6 +12,7 @@
debugfs_kprobes
device_config_profcollect_native_boot_prop
device_state_service
+ dm_user_device
dmabuf_system_heap_device
framework_watchdog_config_prop
gki_apex_prepostinstall
@@ -36,6 +37,9 @@
profcollectd_exec
profcollectd_service
shell_test_data_file
+ snapuserd
+ snapuserd_exec
+ snapuserd_socket
sysfs_devices_cs_etm
system_server_dumper_service
update_engine_stable_service
diff --git a/private/file_contexts b/private/file_contexts
index 1448f5a..abd9ad0 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -94,6 +94,7 @@
/dev/console u:object_r:console_device:s0
/dev/cpu_variant:.* u:object_r:dev_cpu_variant:s0
/dev/dma_heap/system u:object_r:dmabuf_system_heap_device:s0
+/dev/dm-user/.+ u:object_r:dm_user_device:s0
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
@@ -153,6 +154,7 @@
/dev/socket/recovery u:object_r:recovery_socket:s0
/dev/socket/rild u:object_r:rild_socket:s0
/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
+/dev/socket/snapuserd u:object_r:snapuserd_socket:s0
/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
@@ -353,6 +355,7 @@
/system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0
/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
+/system/bin/snapuserd u:object_r:snapuserd_exec:s0
#############################
# Vendor files
diff --git a/private/snapuserd.te b/private/snapuserd.te
new file mode 100644
index 0000000..4632240
--- /dev/null
+++ b/private/snapuserd.te
@@ -0,0 +1,15 @@
+# snapuserd - Daemon for servicing dm-user requests for Virtual A/B snapshots.
+
+typeattribute snapuserd coredomain;
+
+init_daemon_domain(snapuserd)
+
+allow snapuserd kmsg_device:chr_file rw_file_perms;
+
+# Reading and writing to /dev/block/dm-* (device-mapper) nodes.
+allow snapuserd block_device:dir r_dir_perms;
+allow snapuserd dm_device:chr_file rw_file_perms;
+allow snapuserd dm_device:blk_file rw_file_perms;
+
+# Reading and writing to dm-user control nodes.
+allow snapuserd dm_user_device:chr_file rw_file_perms;
diff --git a/public/device.te b/public/device.te
index 4282a25..210cb7e 100644
--- a/public/device.te
+++ b/public/device.te
@@ -9,6 +9,7 @@
type block_device, dev_type;
type camera_device, dev_type;
type dm_device, dev_type;
+type dm_user_device, dev_type;
type keychord_device, dev_type;
type loop_control_device, dev_type;
type loop_device, dev_type;
diff --git a/public/file.te b/public/file.te
index 73a2f58..0e61e8c 100644
--- a/public/file.te
+++ b/public/file.te
@@ -472,6 +472,7 @@
type recovery_socket, file_type, coredomain_socket;
type rild_socket, file_type;
type rild_debug_socket, file_type;
+type snapuserd_socket, file_type, coredomain_socket;
type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
diff --git a/public/snapuserd.te b/public/snapuserd.te
new file mode 100644
index 0000000..2dd2db2
--- /dev/null
+++ b/public/snapuserd.te
@@ -0,0 +1,4 @@
+# snapuserd - Daemon for servicing dm-user requests for Virtual A/B snapshots.
+
+type snapuserd, domain;
+type snapuserd_exec, exec_type, file_type, system_file_type;