Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c9b0d956 authored by Dan Pasanen's avatar Dan Pasanen Committed by Rashed Abdel-Tawab
Browse files

sepolicy: add rules for updater and update_engine 

* We need special exceptions for update_engine scripts because we
  handle backuptool operations through it.

* priv_app needs to be able to make ota package dirs in order to
  put the ota in the correct spot.

Change-Id: I42a421e4d84adde9514932a056c082d1cb3e09b4
parent 37422f7d

common/private/file_contexts

+6 −0
Original line number Diff line number Diff line
@@ -8,6 +8,11 @@ 
# OTA packages

/data/lineageos_updates(/.*)?           u:object_r:ota_package_file:s0



# Postinstall

/system/bin/backuptool_ab\.functions              u:object_r:otapreopt_chroot_exec:s0

/system/bin/backuptool_ab\.sh                     u:object_r:otapreopt_chroot_exec:s0

/system/bin/backuptool_postinstall\.sh            u:object_r:otapreopt_chroot_exec:s0



# Recovery

/sbin/minivold                          u:object_r:vold_exec:s0
@@ -22,3 +27,4 @@ 
/sys/devices/virtual/timed_output/vibrator/vtg_level u:object_r:sysfs_vibrator:s0

/sys/devices/virtual/timed_output/vibrator/vtg_min u:object_r:sysfs_vibrator:s0

/sys/devices/virtual/timed_output/vibrator/vtg_max u:object_r:sysfs_vibrator:s0

common/private/priv_app.te

0 → 100644
+1 −0
Original line number Diff line number Diff line 
allow priv_app ota_package_file:dir create_dir_perms;

common/private/rootfs.te

0 → 100644
+1 −0
Original line number Diff line number Diff line 
allow rootfs labeledfs:filesystem associate;

common/private/sdcardfs.te

0 → 100644
+1 −0
Original line number Diff line number Diff line 
allow sdcardfs labeledfs:filesystem associate;

common/private/update_engine.te

+12 −0
Original line number Diff line number Diff line 
allow update_engine self:capability { dac_override dac_read_search sys_rawio };



r_dir_file(update_engine, mnt_user_file)

r_dir_file(update_engine, storage_file)



allow update_engine self:capability { chown fsetid sys_rawio };



allow update_engine labeledfs:filesystem { mount unmount };



allow update_engine { media_rw_data_file rootfs sdcardfs system_data_file system_file }:dir create_dir_perms;

allow update_engine { media_rw_data_file rootfs sdcardfs system_data_file system_file }:{ file lnk_file } create_file_perms;

allow update_engine { otapreopt_chroot_exec rootfs system_file toolbox_exec }:file rx_file_perms;

allow update_engine { rootfs system_file }:file { relabelfrom relabelto };