tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Allow update_engine to communicate with apexd

Browse source 
When we serve compressed APEX via OTA, we need to ensure device has
enough space to decompress them during boot. In order to do that,
update_engine will need to pass metadata about the OTA to apexd so that
it can make calculation about space requirments. Update engine in return
will display warning to user if the space requirement can't be
fulfilled.

Bug: 172911822
Test: manual
Change-Id: Idff25ac8e5165da70c539edcf6b292e04299a5c6
This commit is contained in:
Mohammad Samiul Islam 2021-02-18 19:55:31 +00:00 committed by Mohammad Islam
parent a1e58814a8
commit 606a3dca3e
2 changed files with 7 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
private/update_engine.te
View file

@ -24,3 +24,8 @@ binder_call(update_engine, gki_apex_prepostinstall)
# Allow to communicate with the snapuserd service, for dm-user snapshots.
allow update_engine snapuserd:unix_stream_socket connectto;
allow update_engine snapuserd_socket:sock_file write;
# Allow to communicate with apexd for calculating and reserving space for
# capex decompression
allow update_engine apex_service:service_manager find;
binder_call(update_engine, apexd)

4
public/apexd.te
View file

@ -5,7 +5,7 @@ type apexd_exec, exec_type, file_type, system_file_type;
binder_use(apexd)
add_service(apexd, apex_service)
neverallow { domain -init -apexd -system_server } apex_service:service_manager find;
neverallow { domain -init -apexd -system_server -servicemanager } apexd:binder call;
neverallow { domain -init -apexd -system_server -update_engine } apex_service:service_manager find;
neverallow { domain -init -apexd -system_server -servicemanager -update_engine } apexd:binder call;
neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;