Merge "Support GKI updates"
diff --git a/apex/Android.bp b/apex/Android.bp
index d3acfdb..78e1be9 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -77,6 +77,13 @@
}
filegroup {
+ name: "com.android.gki-file_contexts",
+ srcs: [
+ "com.android.gki-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.ipsec-file_contexts",
srcs: [
"com.android.ipsec-file_contexts",
diff --git a/apex/com.android.gki-file_contexts b/apex/com.android.gki-file_contexts
new file mode 100644
index 0000000..ccee7f8
--- /dev/null
+++ b/apex/com.android.gki-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/bin/(.*)? u:object_r:gki_apex_prepostinstall_exec:s0
diff --git a/private/apexd.te b/private/apexd.te
index 4d1938a..b7d6702 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -135,6 +135,9 @@
domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall)
')
+# Allow transition to GKI update pre/post install domain
+domain_auto_trans(apexd, gki_apex_prepostinstall_exec, gki_apex_prepostinstall)
+
# Allow apexd to be invoked with logwrapper from init during userspace reboot.
allow apexd devpts:chr_file { read write };
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index cfbd6e5..1441a5b 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -8,6 +8,8 @@
adbd_config_prop
apex_info_file
debugfs_kprobes
+ gki_apex_prepostinstall
+ gki_apex_prepostinstall_exec
gnss_device
hal_dumpstate_config_prop
keystore2_key_contexts_file
diff --git a/private/gki_apex_prepostinstall.te b/private/gki_apex_prepostinstall.te
new file mode 100644
index 0000000..fa5cd14
--- /dev/null
+++ b/private/gki_apex_prepostinstall.te
@@ -0,0 +1,20 @@
+# GKI pre- & post-install hooks.
+#
+# Allow to run pre- and post-install hooks for GKI APEXes
+
+type gki_apex_prepostinstall, domain, coredomain;
+type gki_apex_prepostinstall_exec, system_file_type, exec_type, file_type;
+
+# Execute /system/bin/sh.
+allow gki_apex_prepostinstall shell_exec:file rx_file_perms;
+
+# Execute various toolsbox utilities.
+allow gki_apex_prepostinstall toolbox_exec:file rx_file_perms;
+
+# Allow preinstall.sh to execute update_engine_stable_client binary.
+allow gki_apex_prepostinstall gki_apex_prepostinstall_exec:file execute_no_trans;
+
+# Allow preinstall hook to communicate with update_engine to execute update.
+binder_use(gki_apex_prepostinstall)
+allow gki_apex_prepostinstall update_engine_stable_service:service_manager find;
+binder_call(gki_apex_prepostinstall, update_engine)
diff --git a/private/update_engine.te b/private/update_engine.te
index 539399e..a33e675 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -14,3 +14,6 @@
# Allow to get the DSU status
get_prop(update_engine, gsid_prop)
+
+# Allow update_engine to call the callback function provided by GKI update hook.
+binder_call(update_engine, gki_apex_prepostinstall)