Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 8c37c66ee2d19a7911995dbdf47f7f273c07306a^! / .
commit8c37c66ee2d19a7911995dbdf47f7f273c07306a[log] [tgz]
authorAkilesh Kailash <akailash@google.com>Wed Jun 12 20:23:48 2024 +0000
committerAkilesh Kailash <akailash@google.com>Wed Aug 21 22:01:59 2024 -0700
treedd37d9241cfae525892f2cdebc59f24f3e8c8b00
parentdf2e5e979b9402443626d9d94a19ebce2e15eb38 [diff]
sepolicy changes to support ota metadata in super partition

Bug: 330744468
Test: Pixel 6 incremental flashing with wipe
Change-Id: I16edbbd200b7501b5812038db47409dc04f50957
Signed-off-by: Akilesh Kailash <akailash@google.com>

diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index cf74619..3e95ff8 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test

@@ -1301,6 +1301,11 @@
 /mnt/product                                                      mnt_product_file
 /mnt/product/test                                                 mnt_product_file
 
+
+/mnt/scratch_ota_metadata_super                                   ota_metadata_file
+/mnt/scratch_ota_metadata_super/ota                               ota_metadata_file
+/mnt/scratch_ota_metadata_super/ota/snapshots                     ota_metadata_file
+
 /system/bin/check_dynamic_partitions                              postinstall_exec
 /product/bin/check_dynamic_partitions                             postinstall_exec
 /system/bin/otapreopt_script                                      postinstall_exec

diff --git a/private/file_contexts b/private/file_contexts
index d49be64..394d3b7 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -883,6 +883,12 @@
 /metadata/aconfig/flags(/.*)?    u:object_r:aconfig_storage_flags_metadata_file:s0
 /metadata/aconfig_test_missions(/.*)?    u:object_r:aconfig_test_mission_files:s0
 
+############################
+# mount point for ota metadata
+/mnt/scratch_ota_metadata_super(/.*)?                 u:object_r:ota_metadata_file:s0
+/mnt/scratch_ota_metadata_super/ota(/.*)?             u:object_r:ota_metadata_file:s0
+/mnt/scratch_ota_metadata_super/ota/snapshots(/.*)?   u:object_r:ota_metadata_file:s0
+
 #############################
 # asec containers
 /mnt/asec(/.*)?             u:object_r:asec_apk_file:s0

diff --git a/private/update_engine_common.te b/private/update_engine_common.te
index 5bba84a..6de0292 100644
--- a/private/update_engine_common.te
+++ b/private/update_engine_common.te

@@ -107,5 +107,5 @@
 
 # Allow to read/write/create OTA metadata files for snapshot status and COW file status.
 allow update_engine_common metadata_file:dir search;
-allow update_engine_common ota_metadata_file:dir rw_dir_perms;
+allow update_engine_common ota_metadata_file:dir { rw_dir_perms rmdir };
 allow update_engine_common ota_metadata_file:file create_file_perms;