Create sepolicy for allowing system_server rw in /metadata/staged-install

Bug: 146343545 Test: presubmit Change-Id: I4a7a74ec4c5046d167741389a40da7f330d4c63d Merged-In: I4a7a74ec4c5046d167741389a40da7f330d4c63d (cherry picked from commit be5c4de29f)
2020-05-19 12:43:18 +01:00 · 2020-05-19 12:43:18 +01:00 · 476d616e43
commit 476d616e43
parent 5503debd17
8 changed files with 16 additions and 0 deletions
--- a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
+++ b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
@ -90,6 +90,7 @@
    snapshotctl_log_data_file
    socket_hook_prop
    soundtrigger_middleware_service
+    staged_install_file
    storage_config_prop
    sysfs_dm_verity
    system_adbd_prop
--- a/prebuilts/api/30.0/private/file_contexts
+++ b/prebuilts/api/30.0/private/file_contexts
@ -706,6 +706,7 @@
 /metadata/password_slots(/.*)?    u:object_r:password_slot_metadata_file:s0
 /metadata/ota(/.*)?       u:object_r:ota_metadata_file:s0
 /metadata/bootstat(/.*)?  u:object_r:metadata_bootstat_file:s0
+/metadata/staged-install(/.*)?    u:object_r:staged_install_file:s0

 #############################
 # asec containers
--- a/prebuilts/api/30.0/private/system_server.te
+++ b/prebuilts/api/30.0/private/system_server.te
@ -1112,6 +1112,10 @@ allow system_server metadata_file:dir search;
 allow system_server password_slot_metadata_file:dir rw_dir_perms;
 allow system_server password_slot_metadata_file:file create_file_perms;

+# Allow system server rw access to files in /metadata/staged-install folder
+allow system_server staged_install_file:dir rw_dir_perms;
+allow system_server staged_install_file:file create_file_perms;
+
 # Allow init to set sysprop used to compute stats about userspace reboot.
 set_prop(system_server, userspace_reboot_log_prop)

--- a/prebuilts/api/30.0/public/file.te
+++ b/prebuilts/api/30.0/public/file.te
@ -231,6 +231,8 @@ type apex_metadata_file, file_type;
 type ota_metadata_file, file_type;
 # property files within /metadata/bootstat
 type metadata_bootstat_file, file_type;
+# Staged install files within /metadata/staged-install
+type staged_install_file, file_type;

 # Type for /dev/cpu_variant:.*.
 type dev_cpu_variant, file_type;
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@ -94,6 +94,7 @@
    snapshotctl_log_data_file
    socket_hook_prop
    soundtrigger_middleware_service
+    staged_install_file
    storage_config_prop
    sysfs_dm_verity
    system_adbd_prop
--- a/private/file_contexts
+++ b/private/file_contexts
@ -709,6 +709,7 @@
 /metadata/password_slots(/.*)?    u:object_r:password_slot_metadata_file:s0
 /metadata/ota(/.*)?       u:object_r:ota_metadata_file:s0
 /metadata/bootstat(/.*)?  u:object_r:metadata_bootstat_file:s0
+/metadata/staged-install(/.*)?    u:object_r:staged_install_file:s0

 #############################
 # asec containers
--- a/private/system_server.te
+++ b/private/system_server.te
@ -1131,6 +1131,10 @@ allow system_server metadata_file:dir search;
 allow system_server password_slot_metadata_file:dir rw_dir_perms;
 allow system_server password_slot_metadata_file:file create_file_perms;

+# Allow system server rw access to files in /metadata/staged-install folder
+allow system_server staged_install_file:dir rw_dir_perms;
+allow system_server staged_install_file:file create_file_perms;
+
 # Allow init to set sysprop used to compute stats about userspace reboot.
 set_prop(system_server, userspace_reboot_log_prop)

--- a/public/file.te
+++ b/public/file.te
@ -231,6 +231,8 @@ type apex_metadata_file, file_type;
 type ota_metadata_file, file_type;
 # property files within /metadata/bootstat
 type metadata_bootstat_file, file_type;
+# Staged install files within /metadata/staged-install
+type staged_install_file, file_type;

 # Type for /dev/cpu_variant:.*.
 type dev_cpu_variant, file_type;