Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_update_engine / 7361d27fdeb45f3ea24ab41b1a1a130ab1f17233^! / . / common
commit7361d27fdeb45f3ea24ab41b1a1a130ab1f17233[log] [tgz]
authorAlex Light <allight@google.com>Fri Mar 12 09:05:55 2021 -0800
committerAlex Light <allight@google.com>Thu Mar 25 11:28:34 2021 -0700
treeac5c475f656df412df063aac5922a6dd64fa82df
parent327dce7f109937e2ad036521fbf68fb8e3e504de [diff]
Allow /postinstall files to have custom contexts

We were mounting /postinstall with a 'context=...' option. This forces
all files within /postinstall to have a single selinux context,
limiting the possible granularity of our policies. Here we change it
to simply default to the 'postinstall_file' context for the 'system'
partition but allow individual files to have their own custom contexts
defined by /system/sepolicy. Other partitions retain the single
'postinstall_file' context.

The sample_images were updated to manually add a selinux label for
testing FS contexts.

Test: Manual OTA of blueline
Test: atest update_engine_unittests
Bug: 181182967

Change-Id: I0b8c2b2228fa08afecb64da9c276737eb9ae3631

diff --git a/common/fake_hardware.h b/common/fake_hardware.h
index 29ba607..6c25183 100644
--- a/common/fake_hardware.h
+++ b/common/fake_hardware.h

@@ -216,6 +216,17 @@
     return utils::IsTimestampNewer(old_version, new_version);
   }
 
+  const char* GetPartitionMountOptions(
+      const std::string& partition_name) const override {
+#ifdef __ANDROID__
+    // TODO(allight): This matches the declaration in hardware_android.cc but
+    // ideally shouldn't be duplicated.
+    return "defcontext=u:object_r:postinstall_file:s0";
+#else
+    return "";
+#endif
+  }
+
  private:
   bool is_official_build_{true};
   bool is_normal_boot_mode_{true};

diff --git a/common/hardware_interface.h b/common/hardware_interface.h
index 7460097..4e820f1 100644
--- a/common/hardware_interface.h
+++ b/common/hardware_interface.h

@@ -160,6 +160,9 @@
   virtual ErrorCode IsPartitionUpdateValid(
       const std::string& partition_name,
       const std::string& new_version) const = 0;
+
+  virtual const char* GetPartitionMountOptions(
+      const std::string& partition_name) const = 0;
 };
 
 }  // namespace chromeos_update_engine

diff --git a/common/platform_constants.h b/common/platform_constants.h
index c060133..06399e5 100644
--- a/common/platform_constants.h
+++ b/common/platform_constants.h

@@ -54,10 +54,6 @@
 // The stateful directory used by update_engine.
 extern const char kNonVolatileDirectory[];
 
-// Options passed to the filesystem when mounting the new partition during
-// postinstall.
-extern const char kPostinstallMountOptions[];
-
 #ifdef __ANDROID_RECOVERY__
 constexpr bool kIsRecovery = true;
 #else