From 03daf853bb1caf12cb1ca19e6ffa02449b4ee31e Mon Sep 17 00:00:00 2001
From: Andreas Gampe <agampe@google.com>
Date: Fri, 8 Jul 2016 18:31:10 -0700
Subject: [PATCH] Sepolicy: Adapt for new A/B OTA flow

(cherry picked from commit d47c1e93ae8dbec88327cf96a4b8d788994dedf0)

To include target slot names in the naming of A/B OTA artifacts,
and new path has been implemented. Instead of passing through
the system server and forking off of installd, otapreopt_chroot
is now driven directly from the otapreopt script.

Change the selinux policy accordingly: allow a transition from
postinstall to otapreopt_chroot, and let otapreopt_chroot inherit
the file descriptors that update_engine had opened (it will close
them immediately, do not give rights to the downstream executables
otapreopt and dex2oat).

Bug: 25612095
Bug: 28069686
Change-Id: I6b476183572c85e75eda4d52f60e4eb5d8f48dbb
---
 installd.te           | 5 -----
 otapreopt_chroot.te   | 7 +++++--
 postinstall.te        | 2 ++
 postinstall_dexopt.te | 4 ++--
 4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/installd.te b/installd.te
index c198e2a65..317ae7cea 100644
--- a/installd.te
+++ b/installd.te
@@ -73,11 +73,6 @@ domain_auto_trans(installd, profman_exec, profman)
 # Run idmap in its own sandbox.
 domain_auto_trans(installd, idmap_exec, idmap)
 
-# Run otapreopt in its own sandbox.
-domain_auto_trans(installd, otapreopt_chroot_exec, otapreopt_chroot)
-# otapreopt_chroot will transition into postinstall_dexopt, which will spawn a child.
-allow installd postinstall_dexopt:process sigchld;
-
 # Upgrade from unlabeled userdata.
 # Just need enough to remove and/or relabel it.
 allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
diff --git a/otapreopt_chroot.te b/otapreopt_chroot.te
index b3f8807b0..3f426709c 100644
--- a/otapreopt_chroot.te
+++ b/otapreopt_chroot.te
@@ -10,5 +10,8 @@ allow otapreopt_chroot self:capability { sys_admin sys_chroot };
 # Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
 domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
 
-# Allow otapreopt to use file descriptors from installd.
-allow otapreopt_chroot installd:fd use;
+# Allow otapreopt to use file descriptors from update-engine. It will
+# close them immediately.
+allow otapreopt_chroot postinstall:fd use;
+allow otapreopt_chroot update_engine:fd use;
+allow otapreopt_chroot update_engine:fifo_file write;
diff --git a/postinstall.te b/postinstall.te
index 7fd4dc611..0f6bb749b 100644
--- a/postinstall.te
+++ b/postinstall.te
@@ -30,6 +30,8 @@ binder_call(postinstall, system_server)
 # Need to talk to the otadexopt service.
 allow postinstall otadexopt_service:service_manager find;
 
+domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
+
 # No domain other than update_engine and recovery (via update_engine_sideload)
 # should transition to postinstall, as it is only meant to run during the
 # update.
diff --git a/postinstall_dexopt.te b/postinstall_dexopt.te
index 3d00c3109..1ab929c76 100644
--- a/postinstall_dexopt.te
+++ b/postinstall_dexopt.te
@@ -47,8 +47,8 @@ selinux_check_access(postinstall_dexopt)
 # We have to manually transition, as we don't have an entrypoint.
 domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
 
-# installd wants to know about our child.
-allow postinstall_dexopt installd:process sigchld;
+# Postinstall wants to know about our child.
+allow postinstall_dexopt postinstall:process sigchld;
 
 # Allow otapreopt to use file descriptors from otapreopt_chroot.
 # TODO: Probably we can actually close file descriptors...
-- 
GitLab