From 5507fa6672455ce3331a099f48a2977dd084b63d Mon Sep 17 00:00:00 2001
From: Alex Deymo <deymo@google.com>
Date: Mon, 4 Apr 2016 18:58:07 -0700
Subject: [PATCH] Remove "exec_type" from postinstall_file.

update_engine had an automatic transition to the "postinstall" domain
when executing a "postinstall_file" which required it to be an
entrypoint. This patch removes this automatic transition and the
associated rules in update_engine.te, removing as well the need to
add exec_type to postinstall_file. Instead, update_engine now makes
this transition explicit by calling setexeccon(3).

Bug: 28008031
TEST=make dist; Deployed an update to edison-eng: postinstall runs as "postinstall" domain.

Change-Id: I2b799ac4808c90b010a9e776aaa7015020a94b49
---
 file.te          |  2 +-
 update_engine.te | 12 +++---------
 2 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/file.te b/file.te
index b789e36e5..833e41a4f 100644
--- a/file.te
+++ b/file.te
@@ -117,7 +117,7 @@ type storage_stub_file, file_type;
 # /postinstall: Mount point used by update_engine to run postinstall.
 type postinstall_mnt_dir, file_type;
 # Files inside the /postinstall mountpoint are all labeled as postinstall_file.
-type postinstall_file, file_type, exec_type;
+type postinstall_file, file_type;
 
 # /data/misc subdirectories
 type adb_keys_file, file_type, data_file_type;
diff --git a/update_engine.te b/update_engine.te
index cf614e6a0..06ae5212d 100644
--- a/update_engine.te
+++ b/update_engine.te
@@ -36,19 +36,13 @@ allow update_engine postinstall_mnt_dir:dir mounton;
 allow update_engine postinstall_file:filesystem { mount unmount relabelfrom relabelto };
 allow update_engine labeledfs:filesystem relabelfrom;
 
-# Allow update_engine to read and execute postinstall_file.
+# Allow update_engine to read and execute postinstall_file, which is what the
+# postinstall program is relabeled to regardless of its attributes in the new
+# system. The postinstall program will run in the "postinstall" domain.
 allow update_engine postinstall_file:file rx_file_perms;
 allow update_engine postinstall_file:lnk_file r_file_perms;
 allow update_engine postinstall_file:dir r_dir_perms;
 
-# The postinstall program is run by update_engine and will always be tagged as a
-# postinstall_file regardless of its attributes in the new system.
-domain_auto_trans(update_engine, postinstall_file, postinstall)
-
-# A postinstall program is typically a shell script (with a #!), so we allow
-# to execute those.
-allow update_engine shell_exec:file rx_file_perms;
-
 # Register the service to perform Binder IPC.
 binder_use(update_engine)
 allow update_engine update_engine_service:service_manager { add };
-- 
GitLab