Merge changes Idfe99d40,I3cba28cc,Ibd53cacb

* changes:
  Add rules for snapshotctl
  dontaudit update_engine access to gsi_metadata_file.
  update_engine: rules to apply virtual A/B OTA

private/file.te

@@ -23,3 +23,6 @@ type rollback_data_file, file_type, data_file_type, core_data_file_type;
 
 # /dev/linkerconfig(/.*)?
 type linkerconfig_file, file_type;
+
+# /data/gsi/ota
+type ota_image_data_file, file_type, data_file_type, core_data_file_type;

private/file_contexts

@@ -253,6 +253,7 @@
 /system/bin/recovery-persist     u:object_r:recovery_persist_exec:s0
 /system/bin/recovery-refresh     u:object_r:recovery_refresh_exec:s0
 /system/bin/sdcard      u:object_r:sdcardd_exec:s0
+/system/bin/snapshotctl      u:object_r:snapshotctl_exec:s0
 /system/bin/dhcpcd      u:object_r:dhcp_exec:s0
 /system/bin/dhcpcd-6\.8\.2	u:object_r:dhcp_exec:s0
 /system/bin/mtpd	u:object_r:mtp_exec:s0
@@ -468,6 +469,7 @@
 /data/app-private(/.*)?               u:object_r:apk_private_data_file:s0
 /data/app-private/vmdl.*\.tmp(/.*)?   u:object_r:apk_private_tmp_file:s0
 /data/gsi(/.*)?        u:object_r:gsi_data_file:s0
+/data/gsi/ota(/.*)?    u:object_r:ota_image_data_file:s0
 /data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
 /data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
 /data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
@@ -649,6 +651,7 @@
 /metadata/apex(/.*)?      u:object_r:apex_metadata_file:s0
 /metadata/vold(/.*)?      u:object_r:vold_metadata_file:s0
 /metadata/gsi(/.*)?       u:object_r:gsi_metadata_file:s0
+/metadata/gsi/ota(/.*)?   u:object_r:ota_metadata_file:s0
 /metadata/password_slots(/.*)?    u:object_r:password_slot_metadata_file:s0
 /metadata/ota(/.*)?       u:object_r:ota_metadata_file:s0
 

private/gsid.te

@@ -70,7 +70,12 @@ allow gsid adbd:fd use;
 # Needed when running gsi_tool through "su root" rather than adb root.
 allow gsid adbd:unix_stream_socket rw_socket_perms;
 
-neverallow { domain -gsid -init } gsid_prop:property_service set;
+neverallow {
+  domain
+  -gsid
+  -init
+  -update_engine_common
+} gsid_prop:property_service set;
 
 # gsid needs to store images on /data, but cannot use file I/O. If it did, the
 # underlying blocks would be encrypted, and we couldn't mount the GSI image in
@@ -98,12 +103,27 @@ allow gsid userdata_block_device:blk_file r_file_perms;
 #                    currently running.
 #
 allow gsid metadata_file:dir { search getattr };
-allow gsid gsi_metadata_file:dir rw_dir_perms;
-allow gsid gsi_metadata_file:file create_file_perms;
+allow gsid {
+    gsi_metadata_file
+    ota_metadata_file
+}:dir rw_dir_perms;
+allow gsid {
+    gsi_metadata_file
+    ota_metadata_file
+}:file create_file_perms;
 
-allow gsid gsi_data_file:dir rw_dir_perms;
-allow gsid gsi_data_file:file create_file_perms;
-allowxperm gsid gsi_data_file:file ioctl FS_IOC_FIEMAP;
+allow gsid {
+      gsi_data_file
+      ota_image_data_file
+}:dir rw_dir_perms;
+allow gsid {
+      gsi_data_file
+      ota_image_data_file
+}:file create_file_perms;
+allowxperm gsid {
+      gsi_data_file
+      ota_image_data_file
+}:file ioctl FS_IOC_FIEMAP;
 
 neverallow {
     domain

private/snapshotctl.te

@@ -0,0 +1,32 @@
+type snapshotctl, domain, coredomain;
+type snapshotctl_exec, system_file_type, exec_type, file_type;
+
+# Allow init to run snapshotctl and do auto domain transfer.
+init_daemon_domain(snapshotctl);
+
+# Allow to start gsid service.
+set_prop(snapshotctl, ctl_gsid_prop)
+
+# Allow to talk to gsid.
+binder_use(snapshotctl)
+allow snapshotctl gsi_service:service_manager find;
+binder_call(snapshotctl, gsid)
+
+# Allow to read/write/delete OTA metadata files for snapshot status and COW file status.
+allow snapshotctl metadata_file:dir search;
+allow snapshotctl ota_metadata_file:dir rw_dir_perms;
+allow snapshotctl ota_metadata_file:file { rw_file_perms unlink };
+
+# Allow to get A/B slot suffix from device tree or kernel cmdline.
+r_dir_file(snapshotctl, sysfs_dt_firmware_android);
+allow snapshotctl proc_cmdline:file r_file_perms;
+
+# Needed to (re-)map logical partitions.
+allow snapshotctl block_device:dir r_dir_perms;
+allow snapshotctl super_block_device:blk_file r_file_perms;
+
+# Interact with device-mapper to collapse snapshots.
+allow snapshotctl dm_device:chr_file rw_file_perms;
+
+# Needed to mutate device-mapper nodes.
+allow snapshotctl self:global_capability_class_set sys_admin;

private/update_engine.te

@@ -1,3 +1,7 @@
 typeattribute update_engine coredomain;
 
 init_daemon_domain(update_engine);
+
+# Allow to talk to gsid.
+allow update_engine gsi_service:service_manager find;
+binder_call(update_engine, gsid)

public/update_engine.te

@@ -54,3 +54,13 @@ allow update_engine proc_misc:file r_file_perms;
 
 # read directories on /system and /vendor
 allow update_engine system_file:dir r_dir_perms;
+
+# Allow to start gsid service.
+set_prop(update_engine, ctl_gsid_prop)
+
+# update_engine tries to determine the parent path for all devices (e.g.
+# /dev/block/by-name) by reading the default fstab and looking for the misc
+# device. ReadDefaultFstab() checks whether a GSI is running by checking
+# gsi_metadata_file. We never apply OTAs when GSI is running, so just deny
+# the access.
+dontaudit update_engine gsi_metadata_file:dir search;

public/update_engine_common.te

@@ -79,3 +79,7 @@ unix_socket_send(update_engine_common, statsdw, statsd)
 
 # Allow to read Virtual A/B feature flags.
 get_prop(update_engine_common, virtual_ab_prop)
+
+# Allow to read/write/create OTA metadata files for snapshot status and COW file status.
+allow update_engine_common ota_metadata_file:dir rw_dir_perms;
+allow update_engine_common ota_metadata_file:file create_file_perms;