commit 9422c96fc01db5b5dd3c73f365d587ca88352f06
author Dan Pasanen <dan.pasanen@gmail.com> Fri Jul 20 09:36:08 2018 +0200
committer Max Weninger <max.weninger@gmail.com> Sat Jul 28 10:33:26 2018 +0200
tree 435d49848fabfadb73a67a390e941f45a78b2884
parent b7463efb5fc8a74703eb095bbce77ac704d70cf2

sepolicy: add rules for updater and update_engine

* We need special exceptions for update_engine scripts because we
  handle backuptool operations through it.

* priv_app needs to be able to make ota package dirs in order to
  put the ota in the correct spot.

Change-Id: I39d9d43ea4eb9e567c6ee24a4cd4f8969cd2bcdd

sepolicy/private/file_contexts

diff --git a/sepolicy/private/file_contexts b/sepolicy/private/file_contexts
new file mode 100644
index 0000000..40295bb
--- /dev/null
+++ b/sepolicy/private/file_contexts
@@ -0,0 +1,4 @@
+# Postinstall
+/system/bin/backuptool_ab\.functions              u:object_r:otapreopt_chroot_exec:s0
+/system/bin/backuptool_ab\.sh                     u:object_r:otapreopt_chroot_exec:s0
+/system/bin/backuptool_postinstall\.sh            u:object_r:otapreopt_chroot_exec:s0

sepolicy/private/priv_app.te

diff --git a/sepolicy/private/priv_app.te b/sepolicy/private/priv_app.te
new file mode 100644
index 0000000..1d7fca2
--- /dev/null
+++ b/sepolicy/private/priv_app.te
@@ -0,0 +1 @@
+allow priv_app ota_package_file:dir create_dir_perms;

sepolicy/private/rootfs.te

diff --git a/sepolicy/private/rootfs.te b/sepolicy/private/rootfs.te
new file mode 100644
index 0000000..7cfb964
--- /dev/null
+++ b/sepolicy/private/rootfs.te
@@ -0,0 +1 @@
+allow rootfs labeledfs:filesystem associate;

sepolicy/private/sdcardfs.te

diff --git a/sepolicy/private/sdcardfs.te b/sepolicy/private/sdcardfs.te
new file mode 100644
index 0000000..245f9a8
--- /dev/null
+++ b/sepolicy/private/sdcardfs.te
@@ -0,0 +1 @@
+allow sdcardfs labeledfs:filesystem associate;

sepolicy/private/shell.te

diff --git a/sepolicy/private/shell.te b/sepolicy/private/shell.te
new file mode 100644
index 0000000..20a5c60
--- /dev/null
+++ b/sepolicy/private/shell.te
@@ -0,0 +1,2 @@
+allow shell otapreopt_chroot_exec:file getattr;
+

sepolicy/private/update_engine.te

diff --git a/sepolicy/private/update_engine.te b/sepolicy/private/update_engine.te
index 151d98d..309699a 100644
--- a/sepolicy/private/update_engine.te
+++ b/sepolicy/private/update_engine.te
@@ -1 +1,13 @@
 allow update_engine self:capability { dac_override dac_read_search sys_rawio };
+
+r_dir_file(update_engine, mnt_user_file)
+r_dir_file(update_engine, storage_file)
+
+allow update_engine self:capability { chown fsetid sys_rawio };
+
+allow update_engine labeledfs:filesystem { mount unmount };
+
+allow update_engine { media_rw_data_file rootfs sdcardfs system_data_file system_file }:dir create_dir_perms;
+allow update_engine { media_rw_data_file rootfs sdcardfs system_data_file system_file }:{ file lnk_file } create_file_perms;
+allow update_engine { otapreopt_chroot_exec rootfs system_file toolbox_exec }:file rx_file_perms;
+allow update_engine { rootfs system_file }:file { relabelfrom relabelto };