Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / c1bc87394de8b964dd79440d0da53ae66f798de2^! / .
commitc1bc87394de8b964dd79440d0da53ae66f798de2[log] [tgz]
authorDavid Anderson <dvander@google.com>Mon Jul 08 19:03:59 2019 -0700
committerDavid Anderson <dvander@google.com>Tue Jul 16 13:38:10 2019 -0700
treef2ad3cf0bc0fa2d15edc936ea8c3239bb0c0f787
parentb74402abe8fd439c42933090b26bdb9ca64a147f [diff]
Add selinux labels for /metadata/ota.

/metadata/ota will store critical bits necessary to reify
system and vendor partition state during an OTA. It will be accessed
primarily by first-stage init, recovery/fastbootd, and update_engine.

Bug: 136678799
Test: manual test
Change-Id: Ib78cb96ac60ca11bb27d2b2fe011482e64ba0cf8

diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 225b582..77bf84b 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil

@@ -8,6 +8,7 @@
     cold_boot_done_prop
     ctl_apexd_prop
     device_config_sys_traced_prop
+    ota_metadata_file
     runtime_apex_dir
     system_ashmem_hwservice
     vendor_apex_file))

diff --git a/private/file_contexts b/private/file_contexts
index 5532bd3..aa2a42e 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -629,6 +629,7 @@
 /metadata/vold(/.*)?      u:object_r:vold_metadata_file:s0
 /metadata/gsi(/.*)?       u:object_r:gsi_metadata_file:s0
 /metadata/password_slots(/.*)?    u:object_r:password_slot_metadata_file:s0
+/metadata/ota(/.*)?       u:object_r:ota_metadata_file:s0
 
 #############################
 # asec containers

diff --git a/public/file.te b/public/file.te
index c78ddd5..8148a9e 100644
--- a/public/file.te
+++ b/public/file.te

@@ -212,6 +212,8 @@
 type password_slot_metadata_file, file_type;
 # APEX files within /metadata
 type apex_metadata_file, file_type;
+# libsnapshot files within /metadata
+type ota_metadata_file, file_type;
 
 # Type for /dev/cpu_variant:.*.
 type dev_cpu_variant, file_type;

diff --git a/public/vendor_init.te b/public/vendor_init.te
index c439ffd..3312ff8 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te

@@ -51,6 +51,7 @@
   -system_file_type
   -mnt_product_file
   -password_slot_metadata_file
+  -ota_metadata_file
   -unlabeled
   -vendor_file_type
   -vold_metadata_file
@@ -65,6 +66,7 @@
   -core_data_file_type
   -exec_type
   -password_slot_metadata_file
+  -ota_metadata_file
   -runtime_event_log_tags_file
   -system_file_type
   -unlabeled
@@ -79,6 +81,7 @@
   -core_data_file_type
   -exec_type
   -password_slot_metadata_file
+  -ota_metadata_file
   -system_file_type
   -unlabeled
   -vendor_file_type
@@ -93,6 +96,7 @@
   -core_data_file_type
   -exec_type
   -password_slot_metadata_file
+  -ota_metadata_file
   -system_file_type
   -unlabeled
   -vendor_file_type
@@ -107,6 +111,7 @@
   -exec_type
   -mnt_product_file
   -password_slot_metadata_file
+  -ota_metadata_file
   -system_file_type
   -vendor_file_type
   -vold_metadata_file