commit 7361d27fdeb45f3ea24ab41b1a1a130ab1f17233
author Alex Light <allight@google.com> Fri Mar 12 09:05:55 2021 -0800
committer Alex Light <allight@google.com> Thu Mar 25 11:28:34 2021 -0700
tree ac5c475f656df412df063aac5922a6dd64fa82df
parent 327dce7f109937e2ad036521fbf68fb8e3e504de

Allow /postinstall files to have custom contexts

We were mounting /postinstall with a 'context=...' option. This forces
all files within /postinstall to have a single selinux context,
limiting the possible granularity of our policies. Here we change it
to simply default to the 'postinstall_file' context for the 'system'
partition but allow individual files to have their own custom contexts
defined by /system/sepolicy. Other partitions retain the single
'postinstall_file' context.

The sample_images were updated to manually add a selinux label for
testing FS contexts.

Test: Manual OTA of blueline
Test: atest update_engine_unittests
Bug: 181182967

Change-Id: I0b8c2b2228fa08afecb64da9c276737eb9ae3631

payload_consumer/postinstall_runner_action.cc

diff --git a/payload_consumer/postinstall_runner_action.cc b/payload_consumer/postinstall_runner_action.cc
index e3e305b..5e42089 100644
--- a/payload_consumer/postinstall_runner_action.cc
+++ b/payload_consumer/postinstall_runner_action.cc
@@ -191,11 +191,12 @@
   }
 #endif  // __ANDROID__
 
-  if (!utils::MountFilesystem(mountable_device,
-                              fs_mount_dir_,
-                              MS_RDONLY,
-                              partition.filesystem_type,
-                              constants::kPostinstallMountOptions)) {
+  if (!utils::MountFilesystem(
+          mountable_device,
+          fs_mount_dir_,
+          MS_RDONLY,
+          partition.filesystem_type,
+          hardware_->GetPartitionMountOptions(partition.name))) {
     return CompletePartitionPostinstall(
         1, "Error mounting the device " + mountable_device);
   }