Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_update_engine / 7361d27fdeb45f3ea24ab41b1a1a130ab1f17233^! / . / sample_images
commit7361d27fdeb45f3ea24ab41b1a1a130ab1f17233[log] [tgz]
authorAlex Light <allight@google.com>Fri Mar 12 09:05:55 2021 -0800
committerAlex Light <allight@google.com>Thu Mar 25 11:28:34 2021 -0700
treeac5c475f656df412df063aac5922a6dd64fa82df
parent327dce7f109937e2ad036521fbf68fb8e3e504de [diff]
Allow /postinstall files to have custom contexts

We were mounting /postinstall with a 'context=...' option. This forces
all files within /postinstall to have a single selinux context,
limiting the possible granularity of our policies. Here we change it
to simply default to the 'postinstall_file' context for the 'system'
partition but allow individual files to have their own custom contexts
defined by /system/sepolicy. Other partitions retain the single
'postinstall_file' context.

The sample_images were updated to manually add a selinux label for
testing FS contexts.

Test: Manual OTA of blueline
Test: atest update_engine_unittests
Bug: 181182967

Change-Id: I0b8c2b2228fa08afecb64da9c276737eb9ae3631

diff --git a/sample_images/generate_images.sh b/sample_images/generate_images.sh
index e0b54ae..81a3296 100755
--- a/sample_images/generate_images.sh
+++ b/sample_images/generate_images.sh

@@ -186,14 +186,27 @@
 exit 0
 EOF
 
+  # An unlabeled postinstall bash program.
+  sudo tee "${mntdir}"/bin/self_check_default_context >/dev/null <<EOF
+#!/etc/../bin/sh
+echo "This is my context:"
+ls -lZ "\$0"
+ls -lZ "\$0" | grep -F ' u:object_r:postinstall_file:s0 ' || exit 5
+exit 0
+EOF
+
   # A postinstall bash program.
   sudo tee "${mntdir}"/bin/self_check_context >/dev/null <<EOF
 #!/etc/../bin/sh
 echo "This is my context:"
-ls -lZ "\$0" | grep -F ' u:object_r:postinstall_file:s0 ' || exit 5
+ls -lZ "\$0"
+ls -lZ "\$0" | grep -F ' u:object_r:postinstall_exec:s0 ' || exit 5
 exit 0
 EOF
 
+  # Give the test function the context we expect the postinstall-executable to have.
+  sudo setfattr -n security.selinux -v u:object_r:postinstall_exec:s0 "${mntdir}"/bin/self_check_context
+
   sudo tee "${mntdir}"/postinst >/dev/null <<EOF
 #!/etc/../bin/sh
 echo "postinst"

diff --git a/sample_images/sample_images.tar.bz2 b/sample_images/sample_images.tar.bz2
index 5c80a51..7965d8b 100644
--- a/sample_images/sample_images.tar.bz2
+++ b/sample_images/sample_images.tar.bz2
Binary files differ

diff --git a/sample_images/sample_payloads.tar.xz b/sample_images/sample_payloads.tar.xz
index d0bf6d9..eb589ba 100644
--- a/sample_images/sample_payloads.tar.xz
+++ b/sample_images/sample_payloads.tar.xz
Binary files differ