Moving recovery resources from /system to /vendor
This change is part of a topic that moves the recovery resources from the system partition to the vendor partition, if it exists, or the vendor directory on the system partition otherwise. The recovery resources are moving from the system image to the vendor partition so that a single system image may be used with either an A/B or a non-A/B vendor image. The topic removes a delta in the system image that prevented such reuse in the past. The recovery resources that are moving are involved with updating the recovery partition after an update. In a non-A/B configuration, the system boots from the recovery partition, updates the other partitions (system, vendor, etc.) Then, the next time the system boots normally, a script updates the recovery partition (if necessary). This script, the executables it invokes, and the data files that it uses were previously on the system partition. The resources that are moving include the following. * install-recovery.sh * applypatch * recovery-resource.dat (if present) * recovery-from-boot.p (if present) This change includes the sepolicy changes to move the recovery resources from system to vendor. The big change is renaming install_recovery*.te to vendor_install_recovery*.te to emphasize the move to vendor. Other changes follow from that. The net result is that the application of the recovery patch has the same permissions that it had when it lived in system. Bug: 68319577 Test: Ensure that recovery partition is updated correctly. Change-Id: If29cb22b2a7a5ce1b25d45ef8635e6cb81103327
This commit is contained in:
Bill Peckham
parent
f53c57287d
commit
d0dc1a057d
6 changed files with 30 additions and 25 deletions
|
|
@ -1,6 +1,8 @@
|
|||
;; types removed from current policy
|
||||
(type ashmemd)
|
||||
(type hal_wifi_offload_hwservice)
|
||||
(type install_recovery)
|
||||
(type install_recovery_exec)
|
||||
(type mediacodec_service)
|
||||
(type perfprofd_data_file)
|
||||
(type perfprofd_service)
|
||||
|
|
|
|||
|
|
@ -23,5 +23,7 @@
|
|||
system_passwd_file
|
||||
vendor_apex_file
|
||||
vendor_boringssl_self_test
|
||||
vendor_install_recovery
|
||||
vendor_install_recovery_exec
|
||||
virtual_ab_prop
|
||||
wifi_stack_service))
|
||||
|
|
|
|||
|
|
@ -284,7 +284,6 @@
|
|||
/system/bin/cppreopts\.sh u:object_r:cppreopts_exec:s0
|
||||
/system/bin/preloads_copy\.sh u:object_r:preloads_copy_exec:s0
|
||||
/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
|
||||
/system/bin/install-recovery\.sh u:object_r:install_recovery_exec:s0
|
||||
/system/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
|
||||
/system/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
|
||||
/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
|
||||
|
|
@ -367,6 +366,8 @@
|
|||
|
||||
/(vendor|system/vendor)/etc/selinux/(vendor|nonplat)_service_contexts u:object_r:nonplat_service_contexts_file:s0
|
||||
|
||||
/(vendor|system/vendor)/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
|
||||
|
||||
#############################
|
||||
# OEM and ODM files
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,3 +0,0 @@
|
|||
typeattribute install_recovery coredomain;
|
||||
|
||||
init_daemon_domain(install_recovery)
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
# service flash_recovery in init.rc
|
||||
type install_recovery, domain;
|
||||
type install_recovery_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
# /system/bin/install-recovery.sh is a shell script.
|
||||
# Needs to execute /system/bin/sh
|
||||
allow install_recovery shell_exec:file rx_file_perms;
|
||||
|
||||
# Execute /system/bin/applypatch
|
||||
allow install_recovery system_file:file rx_file_perms;
|
||||
not_full_treble(`allow install_recovery vendor_file:file rx_file_perms;')
|
||||
|
||||
allow install_recovery toolbox_exec:file rx_file_perms;
|
||||
|
||||
# Update the recovery block device based off a diff of the boot block device
|
||||
allow install_recovery block_device:dir search;
|
||||
allow install_recovery boot_block_device:blk_file r_file_perms;
|
||||
allow install_recovery recovery_block_device:blk_file rw_file_perms;
|
||||
|
||||
# Write to /proc/sys/vm/drop_caches
|
||||
allow install_recovery proc_drop_caches:file w_file_perms;
|
||||
24
vendor/vendor_install_recovery.te
vendored
Normal file
24
vendor/vendor_install_recovery.te
vendored
Normal file
|
|
@ -0,0 +1,24 @@
|
|||
init_daemon_domain(vendor_install_recovery)
|
||||
|
||||
# service vendor_flash_recovery in
|
||||
# bootable/recovery/applypatch/vendor_flash_recovery.rc
|
||||
type vendor_install_recovery, domain;
|
||||
type vendor_install_recovery_exec, vendor_file_type, exec_type, file_type;
|
||||
|
||||
# /vendor/bin/install-recovery.sh is a shell script.
|
||||
# Needs to execute /vendor/bin/sh
|
||||
allow vendor_install_recovery vendor_shell_exec:file rx_file_perms;
|
||||
|
||||
# Execute /vendor/bin/applypatch
|
||||
allow vendor_install_recovery vendor_file:file rx_file_perms;
|
||||
not_full_treble(`allow vendor_install_recovery vendor_file:file rx_file_perms;')
|
||||
|
||||
allow vendor_install_recovery vendor_toolbox_exec:file rx_file_perms;
|
||||
|
||||
# Update the recovery block device based off a diff of the boot block device
|
||||
allow vendor_install_recovery block_device:dir search;
|
||||
allow vendor_install_recovery boot_block_device:blk_file r_file_perms;
|
||||
allow vendor_install_recovery recovery_block_device:blk_file rw_file_perms;
|
||||
|
||||
# Write to /proc/sys/vm/drop_caches
|
||||
allow vendor_install_recovery proc_drop_caches:file w_file_perms;
|
||||
Loading…
Reference in a new issue