commit f5ddc0444b5a7494066660e854f1486f273356b0
author Tianjie Xu <xunchang@google.com> Thu Nov 14 14:18:40 2019 -0800
committer Tianjie Xu <xunchang@google.com> Thu Nov 14 15:24:25 2019 -0800
tree fc259cc4507adf8560b81e5c7751d25a218dea16
parent c03def15edd0a1e20c1170ea88a6d85ef529a46f

Add a new context for property ota.warm_reset

The property is set to inform kernel to do a warm_reset on the next
reboot. This is useful to persist the logs to debug device boot
failures. More details in http://go/rvc-ota-persist-logs.

The property is set to 1 by update_engine after an OTA. And it's set to
0 by update_verifier or vold after we mark the current slot boot
successful.
The property is read by vendor_init. And according to its value,
vendor_init writes a particular sysfs file to schedule a warm reset
on the following reboot.

Without the new context, the denial message says:
[   13.423163] audit: type=1107 audit(1746393.166:8): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc:  denied  { read } for property=ota.warm_reset pid=0 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0'
[   23.096497] init: Unable to set property 'OTA.warm_reset' from uid:0 gid:2001 pid:841: SELinux permission check failed
[   23.096574] type=1107 audit(1573768000.668:42): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=OTA.warm_reset pid=841 uid=0 gid=2001 scontext=u:r:update_verifier:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service permissive=0'
[   23.108430] update_verifier: Failed to reset the warm reset flag

Bug: 143489994
Test: check the property can be set by update_engine, and read by vendor_init
Change-Id: I87c12a53a138b72ecfed3ab6a4d846c20f5a8484

private/compat/29.0/29.0.ignore.cil

diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 83c76cb..9656486 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -26,6 +26,7 @@
     linker_prop
     mock_ota_prop
     ota_metadata_file
+    ota_prop
     art_apex_dir
     service_manager_service
     system_group_file

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index 16c8d93..0ecf0dd 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -219,3 +219,6 @@
 # Virtual A/B properties
 ro.virtual_ab.enabled   u:object_r:virtual_ab_prop:s0
 ro.virtual_ab.retrofit  u:object_r:virtual_ab_prop:s0
+
+# Property to set/clear the warm reset flag after an OTA update.
+ota.warm_reset  u:object_r:ota_prop:s0

public/property.te

diff --git a/public/property.te b/public/property.te
index d417628..f2c2353 100644
--- a/public/property.te
+++ b/public/property.te
@@ -130,6 +130,7 @@
 system_public_prop(log_tag_prop)
 system_public_prop(lowpan_prop)
 system_public_prop(nfc_prop)
+system_public_prop(ota_prop)
 system_public_prop(powerctl_prop)
 system_public_prop(radio_prop)
 system_public_prop(serialno_prop)
@@ -287,6 +288,7 @@
 typeattribute logd_prop          core_property_type;
 typeattribute net_radio_prop     core_property_type;
 typeattribute nfc_prop           core_property_type;
+typeattribute ota_prop           core_property_type;
 typeattribute pan_result_prop    core_property_type;
 typeattribute persist_debug_prop core_property_type;
 typeattribute powerctl_prop      core_property_type;
@@ -313,6 +315,7 @@
   -logd_prop
   -net_radio_prop
   -nfc_prop
+  -ota_prop
   -pan_result_prop
   -persist_debug_prop
   -powerctl_prop
@@ -625,6 +628,7 @@
     -net_radio_prop
     -netd_stable_secret_prop
     -nfc_prop
+    -ota_prop
     -overlay_prop
     -pan_result_prop
     -persist_debug_prop

public/update_engine.te

diff --git a/public/update_engine.te b/public/update_engine.te
index 5410bde..8aafe34 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -58,6 +58,9 @@
 # Allow to start gsid service.
 set_prop(update_engine, ctl_gsid_prop)
 
+# Allow to set the OTA related properties, e.g. ota.warm_reset.
+set_prop(update_engine, ota_prop)
+
 # update_engine tries to determine the parent path for all devices (e.g.
 # /dev/block/by-name) by reading the default fstab and looking for the misc
 # device. ReadDefaultFstab() checks whether a GSI is running by checking

public/update_verifier.te

diff --git a/public/update_verifier.te b/public/update_verifier.te
index 8d40cdd..f881aeb 100644
--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -27,6 +27,9 @@
 # Allow update_verifier to reboot the device.
 set_prop(update_verifier, powerctl_prop)
 
+# Allow to set the OTA related properties e.g. ota.warm_reset.
+set_prop(update_verifier, ota_prop)
+
 # Use Boot Control HAL
 hal_client_domain(update_verifier, hal_bootctl)
 

public/vendor_init.te

diff --git a/public/vendor_init.te b/public/vendor_init.te
index 21a9222..fe5755f 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -258,6 +258,8 @@
 get_prop(vendor_init, exported3_system_prop)
 get_prop(vendor_init, theme_prop)
 
+get_prop(vendor_init, ota_prop)
+
 ###
 ### neverallow rules
 ###

public/vold.te

diff --git a/public/vold.te b/public/vold.te
index 9e68d65..bc4da1e 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -174,6 +174,7 @@
 set_prop(vold, powerctl_prop)
 set_prop(vold, ctl_fuse_prop)
 set_prop(vold, restorecon_prop)
+set_prop(vold, ota_prop)
 
 # ASEC
 allow vold asec_image_file:file create_file_perms;