09bb944221
Restrict access to controlling snapuserd via ctl properties. Allow update_engine to control snapuserd, and connect/write to its socket. update_engine needs this access so it can create the appropriate dm-user device (which sends queries to snapuserd), which is then used to build the update snapshot. This also fixes a bug where /dev/dm-user was not properly labelled. As a result, snapuserd and update_engine have been granted r_dir_perms to dm_user_device. Bug: 168554689 Test: full ota with VABC enabled Change-Id: I1f65ba9f16a83fe3e8ed41a594421939a256aec0
18 lines
648 B
Text
18 lines
648 B
Text
# snapuserd - Daemon for servicing dm-user requests for Virtual A/B snapshots.
|
|
type snapuserd, domain;
|
|
type snapuserd_exec, exec_type, file_type, system_file_type;
|
|
|
|
typeattribute snapuserd coredomain;
|
|
|
|
init_daemon_domain(snapuserd)
|
|
|
|
allow snapuserd kmsg_device:chr_file rw_file_perms;
|
|
|
|
# Reading and writing to /dev/block/dm-* (device-mapper) nodes.
|
|
allow snapuserd block_device:dir r_dir_perms;
|
|
allow snapuserd dm_device:chr_file rw_file_perms;
|
|
allow snapuserd dm_device:blk_file rw_file_perms;
|
|
|
|
# Reading and writing to dm-user control nodes.
|
|
allow snapuserd dm_user_device:dir r_dir_perms;
|
|
allow snapuserd dm_user_device:chr_file rw_file_perms;
|