Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / a10f789d286d0f28c85488629cc92f5ab6ca8e00^! / . / file_contexts
commita10f789d286d0f28c85488629cc92f5ab6ca8e00[log] [tgz]
authorDavid Zeuthen <zeuthen@google.com>Mon Oct 05 17:04:39 2015 -0400
committerDavid Zeuthen <zeuthen@google.com>Wed Oct 07 15:43:20 2015 -0400
treecdc72508739d1a1847db92557f05fcbba85a5518
parent7e86e19d587f3922ece9ac52bba0fdf64561a4de [diff] [blame]
Move update_engine policy to AOSP.

The update_engine daemon from Brillo is expected to be used also in
Android so move its selinux policy to AOSP.

Put update_engine in the whitelist (currently only has the recovery
there) allowing it to bypass the notallow for writing to partititions
labeled as system_block_device.

Also introduce the misc_block_device dev_type as update_engine in some
configurations may need to read/write the misc partition. Start
migrating uncrypt to use this instead of overly broad
block_device:blk_file access.

Bug: 23186405
Test: Manually tested with Brillo build.

Change-Id: Icf8cdb4133d4bbdf14bacc6c0fa7418810ac307a

diff --git a/file_contexts b/file_contexts
index 42ed5ff..69a5954 100644
--- a/file_contexts
+++ b/file_contexts

@@ -199,6 +199,7 @@
 /system/bin/blkid       u:object_r:blkid_exec:s0
 /system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
 /system/bin/idmap u:object_r:idmap_exec:s0
+/system/bin/update_engine        u:object_r:update_engine_exec:s0
 
 #############################
 # Vendor files
@@ -274,6 +275,7 @@
 /data/misc/zoneinfo(/.*)?       u:object_r:zoneinfo_data_file:s0
 /data/misc/vold(/.*)?           u:object_r:vold_data_file:s0
 /data/misc/perfprofd(/.*)?      u:object_r:perfprofd_data_file:s0
+/data/misc/update_engine(/.*)?  u:object_r:update_engine_data_file:s0
 /data/system/heapdump(/.*)?     u:object_r:heapdump_data_file:s0
 
 # Fingerprint data