2015-12-05 02:48:50 +01:00
|
|
|
# update_verifier
|
Switch Boot Control HAL policy to _client/_server
This switches Boot Control HAL policy to the design which enables us
to conditionally remove unnecessary rules from domains which are
clients of Boot Control HAL.
Domains which are clients of Boot Control HAL, such as update_server,
are granted rules targeting hal_bootctl only when the Boot Control HAL
runs in passthrough mode (i.e., inside the client's process). When the
HAL runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting
hal_bootctl are not granted to client domains.
Domains which offer a binderized implementation of Boot Control HAL,
such as hal_bootctl_default domain, are always granted rules targeting
hal_bootctl.
P. S. This commit removes direct access to Boot Control HAL from
system_server because system_server is not a client of this HAL. This
commit also removes bootctrl_block_device type which is no longer
used. Finally, boot_control_hal attribute is removed because it is now
covered by the hal_bootctl attribute.
Test: Device boots up, no new denials
Test: Reboot into recovery, sideload OTA update succeeds
Test: Apply OTA update via update_engine:
1. make dist
2. Ensure device has network connectivity
3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip
Bug: 34170079
Change-Id: I9c410c092069e431a3852b66c04c4d2a9f1a25cf
2017-03-17 03:17:15 +01:00
|
|
|
type update_verifier, domain;
|
2015-12-05 02:48:50 +01:00
|
|
|
type update_verifier_exec, exec_type, file_type;
|
|
|
|
|
2016-06-22 21:16:47 +02:00
|
|
|
# Allow update_verifier to reach block devices in /dev/block.
|
|
|
|
allow update_verifier block_device:dir search;
|
|
|
|
|
2016-06-06 20:30:20 +02:00
|
|
|
# Read care map in /data/ota_package/.
|
|
|
|
allow update_verifier ota_package_file:dir r_dir_perms;
|
|
|
|
allow update_verifier ota_package_file:file r_file_perms;
|
|
|
|
|
2017-01-20 02:41:02 +01:00
|
|
|
# Read all blocks in dm wrapped system partition.
|
|
|
|
allow update_verifier dm_device:blk_file r_file_perms;
|
2016-06-06 20:30:20 +02:00
|
|
|
|
2017-04-04 05:08:37 +02:00
|
|
|
# Allow update_verifier to reboot the device.
|
|
|
|
set_prop(update_verifier, powerctl_prop)
|
|
|
|
|
Switch Boot Control HAL policy to _client/_server
This switches Boot Control HAL policy to the design which enables us
to conditionally remove unnecessary rules from domains which are
clients of Boot Control HAL.
Domains which are clients of Boot Control HAL, such as update_server,
are granted rules targeting hal_bootctl only when the Boot Control HAL
runs in passthrough mode (i.e., inside the client's process). When the
HAL runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting
hal_bootctl are not granted to client domains.
Domains which offer a binderized implementation of Boot Control HAL,
such as hal_bootctl_default domain, are always granted rules targeting
hal_bootctl.
P. S. This commit removes direct access to Boot Control HAL from
system_server because system_server is not a client of this HAL. This
commit also removes bootctrl_block_device type which is no longer
used. Finally, boot_control_hal attribute is removed because it is now
covered by the hal_bootctl attribute.
Test: Device boots up, no new denials
Test: Reboot into recovery, sideload OTA update succeeds
Test: Apply OTA update via update_engine:
1. make dist
2. Ensure device has network connectivity
3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip
Bug: 34170079
Change-Id: I9c410c092069e431a3852b66c04c4d2a9f1a25cf
2017-03-17 03:17:15 +01:00
|
|
|
# Use Boot Control HAL
|
|
|
|
hal_client_domain(update_verifier, hal_bootctl)
|