Allow system app and update_engine to read OTA from /vendor
Introuducing vendor_boot_ota_file which will be used to allow
reading OTAs from /vendor/boot_otas when BOARD_16K_OTA_MOVE_VENDOR := true
is set. These OTAs will be read from settings app(system_app) and update
engine.
Test: m, m Settings && adb install -r $ANDROID_PRODUCT_OUT/system_ext/priv-app/Settings/Settings.apk
Bug: 335022191
Change-Id: Ie42e0de12694ed74f9a98cd115f72d207f67c834
diff --git a/private/compat/202404/202404.cil b/private/compat/202404/202404.cil
index 02bbced..ca0f459 100644
--- a/private/compat/202404/202404.cil
+++ b/private/compat/202404/202404.cil
@@ -2682,7 +2682,7 @@
(typeattributeset vendor_configs_file_202404 (vendor_configs_file))
(typeattributeset vendor_data_file_202404 (vendor_data_file))
(typeattributeset vendor_default_prop_202404 (vendor_default_prop))
-(typeattributeset vendor_file_202404 (vendor_file))
+(typeattributeset vendor_file_202404 (vendor_file vendor_boot_ota_file))
(typeattributeset vendor_framework_file_202404 (vendor_framework_file))
(typeattributeset vendor_hal_file_202404 (vendor_hal_file))
(typeattributeset vendor_idc_file_202404 (vendor_idc_file))
diff --git a/private/domain.te b/private/domain.te
index 60e61a4..53bcdcf 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -2036,6 +2036,7 @@
-vendor_app_file
-vendor_apex_file
-vendor_apex_metadata_file
+ -vendor_boot_ota_file
-vendor_configs_file
-vendor_microdroid_file
-vendor_service_contexts_file
diff --git a/private/file_contexts b/private/file_contexts
index c72d752..b82b4f0 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -437,6 +437,8 @@
/(vendor|system/vendor)/etc/aconfig(/.*)? u:object_r:vendor_aconfig_storage_file:s0
+/vendor/boot_otas(/.*)? u:object_r:vendor_boot_ota_file:s0
+
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
diff --git a/private/system_app.te b/private/system_app.te
index af9d168..5016a40 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -196,3 +196,6 @@
neverallow { domain -init -system_app } adaptive_haptics_prop:property_service set;
# system_app should be the only domain writing the force l3 prop
neverallow { domain -init -system_app } drm_forcel3_prop:property_service set;
+
+allow system_app vendor_boot_ota_file:dir { r_dir_perms };
+allow system_app vendor_boot_ota_file:file { r_file_perms };
diff --git a/private/update_engine.te b/private/update_engine.te
index 6a60718..1a6d9c7 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -115,3 +115,6 @@
# Allow determining filesystems available on system.
# Needed for checking if overlayfs is enabled
allow update_engine proc_filesystems:file r_file_perms;
+
+allow update_engine vendor_boot_ota_file:dir { r_dir_perms };
+allow update_engine vendor_boot_ota_file:file { r_file_perms };