tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Allow system app and update_engine to read OTA from /vendor

Browse source 
Introuducing vendor_boot_ota_file which will be used to allow
reading OTAs from /vendor/boot_otas when BOARD_16K_OTA_MOVE_VENDOR := true
is set. These OTAs will be read from settings app(system_app) and update
engine.

Test: m, m Settings && adb install -r $ANDROID_PRODUCT_OUT/system_ext/priv-app/Settings/Settings.apk
Bug: 335022191
Change-Id: Ie42e0de12694ed74f9a98cd115f72d207f67c834
This commit is contained in:
Pawan Wagh 2024-04-29 22:03:20 +00:00
parent 77a8ac9ab4
commit b071882d76
7 changed files with 17 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
contexts/plat_file_contexts_test
View file

@ -539,6 +539,8 @@
/vendor/priv-app/test vendor_app_file
/system/vendor/priv-app vendor_app_file
/system/vendor/priv-app/test vendor_app_file
/vendor/boot_otas/ vendor_boot_ota_file
/vendor/boot_otas/test vendor_boot_ota_file
/vendor/overlay vendor_overlay_file
/vendor/overlay/test vendor_overlay_file
/system/vendor/overlay vendor_overlay_file

2
private/compat/202404/202404.cil
View file

@ -2682,7 +2682,7 @@
(typeattributeset vendor_configs_file_202404 (vendor_configs_file))
(typeattributeset vendor_data_file_202404 (vendor_data_file))
(typeattributeset vendor_default_prop_202404 (vendor_default_prop))
(typeattributeset vendor_file_202404 (vendor_file))
(typeattributeset vendor_file_202404 (vendor_file vendor_boot_ota_file))
(typeattributeset vendor_framework_file_202404 (vendor_framework_file))
(typeattributeset vendor_hal_file_202404 (vendor_hal_file))
(typeattributeset vendor_idc_file_202404 (vendor_idc_file))

1
private/domain.te
View file

@ -2036,6 +2036,7 @@ full_treble_only(`
-vendor_app_file
-vendor_apex_file
-vendor_apex_metadata_file
-vendor_boot_ota_file
-vendor_configs_file
-vendor_microdroid_file
-vendor_service_contexts_file

2
private/file_contexts
View file

@ -437,6 +437,8 @@
/(vendor|system/vendor)/etc/aconfig(/.*)? u:object_r:vendor_aconfig_storage_file:s0
/vendor/boot_otas(/.*)? u:object_r:vendor_boot_ota_file:s0
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0

3
private/system_app.te
View file

@ -196,3 +196,6 @@ neverallow system_app shell_data_file:file { open read ioctl lock };
neverallow { domain -init -system_app } adaptive_haptics_prop:property_service set;
# system_app should be the only domain writing the force l3 prop
neverallow { domain -init -system_app } drm_forcel3_prop:property_service set;
allow system_app vendor_boot_ota_file:dir { r_dir_perms };
allow system_app vendor_boot_ota_file:file { r_file_perms };

3
private/update_engine.te
View file

@ -115,3 +115,6 @@ allow update_engine snapshotctl_log_data_file:file create_file_perms;
# Allow determining filesystems available on system.
# Needed for checking if overlayfs is enabled
allow update_engine proc_filesystems:file r_file_perms;
allow update_engine vendor_boot_ota_file:dir { r_dir_perms };
allow update_engine vendor_boot_ota_file:file { r_file_perms };

5
public/file.te
View file

@ -280,6 +280,11 @@ type vendor_public_framework_file, vendor_file_type, file_type;
# Files having this type should be read-only.
type vendor_microdroid_file, vendor_file_type, file_type;
starting_at_board_api(202504, `
# boot otas for 16KB developer option
type vendor_boot_ota_file, vendor_file_type, file_type;
')
# Input configuration
type vendor_keylayout_file, vendor_file_type, file_type;
type vendor_keychars_file, vendor_file_type, file_type;