Allow update_engine to suspend/resume postinstall.

update_engine launches the postinstall process and can suspend and resume it by sending SIGSTOP and SIGCONT. This fixes the following denials: update_engine: type=1400 audit(0.0:88): avc: denied { sigstop } for scontext=u:r:update_engine:s0 tcontext=u:r:postinstall:s0 tclass=process permissive=1 update_engine: type=1400 audit(0.0:89): avc: denied { signal } for scontext=u:r:update_engine:s0 tcontext=u:r:postinstall:s0 tclass=process permissive=1 Bug: 28959137 TEST=`update_engine_client --suspend ; update_engine_client --resume` while the device is running postinstall. Change-Id: I9890ad0ff7fe04bae1a54fa07c61aafca8de8e66

Allow update_engine to suspend/resume postinstall.
108b74a1 · Alex Deymo · 15105ce7 · 108b74a1
Commit 108b74a1 authored 8 years ago by Alex Deymo
--- a/update_engine.te
+++ b/update_engine.te
@@ -55,6 +55,9 @@ domain_auto_trans(update_engine, postinstall_file, postinstall)
 # to execute those.
 allow update_engine shell_exec:file rx_file_perms;

+# Allow update_engine to suspend, resume and kill the postinstall program.
+allow update_engine postinstall:process { signal sigstop };
+
 # Register the service to perform Binder IPC.
 binder_use(update_engine)
 allow update_engine update_engine_service:service_manager { add };