Merge "init: Allow interacting with snapuserd and libsnapshot."

2020-11-03 18:24:49 +00:00 · 2020-11-03 18:24:49 +00:00 · ae72bf372c
commit ae72bf372c
parent 42aa7a26e2 0c0c13a59f
1 changed files with 7 additions and 0 deletions
--- a/private/init.te
+++ b/private/init.te
@ -55,6 +55,13 @@ allow init self:global_capability2_class_set perfmon;
 neverallow init self:perf_event { kernel tracepoint read write };
 dontaudit init self:perf_event { kernel tracepoint read write };

+# Allow init to communicate with snapuserd to transition Virtual A/B devices
+# from the first-stage daemon to the second-stage.
+allow init snapuserd_socket:sock_file write;
+allow init snapuserd:unix_stream_socket connectto;
+# Allow for libsnapshot's use of flock() on /metadata/ota.
+allow init ota_metadata_file:dir lock;
+
 # Only init is allowed to set the sysprop indicating whether perf_event_open()
 # SELinux hooks were detected.
 set_prop(init, init_perf_lsm_hooks_prop)