Add necessary sepolicy for update_engine to reserve space on data Test: serve an OTA, make sure /data/apex/reserved is present Bug: 172911822 Change-Id: I9f7967c9047ae834eb55a48d56ffc34a7b37f5db

commit: a1e58814a893e216a17eece82958f7457f5bf413 [log] [tgz]
author: Kelvin Zhang <zhangkelvin@google.com> Thu Jan 28 16:14:20 2021 -0500
committer: Mohammad Samiul Islam <samiul@google.com> Fri Feb 19 11:30:50 2021 +0000
tree: 2e0976f72e300d03b4cf027dd1f66dc17326827a
parent: e674dd49b5f9ae48624f837d95b0b006d327561b [diff]
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index bf02085..45826b0 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil

@@ -11,6 +11,7 @@
     apex_art_data_file
     apex_art_staging_data_file
     apex_info_file
+    apex_ota_reserved_file
     apex_scheduling_data_file
     app_hibernation_service
     appcompat_data_file

diff --git a/private/file_contexts b/private/file_contexts
index b7c5628..a6b92bc 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -521,6 +521,7 @@
 /data/apex/active/(.*)?		u:object_r:staging_data_file:s0
 /data/apex/backup/(.*)?		u:object_r:staging_data_file:s0
 /data/apex/decompressed/(.*)?    u:object_r:staging_data_file:s0
+/data/apex/ota_reserved(/.*)?       u:object_r:apex_ota_reserved_file:s0
 /data/app(/.*)?                       u:object_r:apk_data_file:s0
 # Traditional /data/app/[packageName]-[randomString]/base.apk location
 /data/app/[^/]+/oat(/.*)?                u:object_r:dalvikcache_data_file:s0

diff --git a/public/file.te b/public/file.te
index f0d5622..8426ad6 100644
--- a/public/file.te
+++ b/public/file.te

@@ -380,6 +380,7 @@
 # /data/misc subdirectories
 type adb_keys_file, file_type, data_file_type, core_data_file_type;
 type apex_module_data_file, file_type, data_file_type, core_data_file_type;
+type apex_ota_reserved_file, file_type, data_file_type, core_data_file_type;
 type apex_permission_data_file, file_type, data_file_type, core_data_file_type;
 type apex_rollback_data_file, file_type, data_file_type, core_data_file_type;
 type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type;

diff --git a/public/update_engine.te b/public/update_engine.te
index b7cf827..206d29c 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te

@@ -29,6 +29,14 @@
 allow update_engine update_engine_log_data_file:dir create_dir_perms;
 allow update_engine update_engine_log_data_file:file create_file_perms;
 
+# TODO(b/172911822): remove these access when we have transferred
+# reservation responsibility to apexd
+
+# Allow reserving space on /data/apex/ota_reserved for apex decompression
+allow update_engine apex_ota_reserved_file:dir create_dir_perms;
+allow update_engine apex_ota_reserved_file:file create_file_perms;
+allow update_engine apex_data_file:dir search;
+
 # Don't allow kernel module loading, just silence the logs.
 dontaudit update_engine kernel:system module_request;
commit	a1e58814a893e216a17eece82958f7457f5bf413	[log] [tgz]
author	Kelvin Zhang <zhangkelvin@google.com>	Thu Jan 28 16:14:20 2021 -0500
committer	Mohammad Samiul Islam <samiul@google.com>	Fri Feb 19 11:30:50 2021 +0000
tree	2e0976f72e300d03b4cf027dd1f66dc17326827a
parent	e674dd49b5f9ae48624f837d95b0b006d327561b [diff]