From 108b74a193c8c424ee4579bae7f2f0444840428e Mon Sep 17 00:00:00 2001
From: Alex Deymo <deymo@google.com>
Date: Tue, 21 Jun 2016 16:52:52 -0700
Subject: [PATCH] Allow update_engine to suspend/resume postinstall.

update_engine launches the postinstall process and can suspend and
resume it by sending SIGSTOP and SIGCONT. This fixes the following
denials:

update_engine: type=1400 audit(0.0:88): avc: denied { sigstop } for scontext=u:r:update_engine:s0 tcontext=u:r:postinstall:s0 tclass=process permissive=1
update_engine: type=1400 audit(0.0:89): avc: denied { signal } for scontext=u:r:update_engine:s0 tcontext=u:r:postinstall:s0 tclass=process permissive=1

Bug: 28959137
TEST=`update_engine_client --suspend ; update_engine_client --resume` while the device is running postinstall.

Change-Id: I9890ad0ff7fe04bae1a54fa07c61aafca8de8e66
---
 update_engine.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/update_engine.te b/update_engine.te
index 3c5bfa163..27d376799 100644
--- a/update_engine.te
+++ b/update_engine.te
@@ -55,6 +55,9 @@ domain_auto_trans(update_engine, postinstall_file, postinstall)
 # to execute those.
 allow update_engine shell_exec:file rx_file_perms;
 
+# Allow update_engine to suspend, resume and kill the postinstall program.
+allow update_engine postinstall:process { signal sigstop };
+
 # Register the service to perform Binder IPC.
 binder_use(update_engine)
 allow update_engine update_engine_service:service_manager { add };
-- 
GitLab