From 57b1e913b66075beae7d157c665506ae5d13c49e Mon Sep 17 00:00:00 2001
From: Alex Deymo <deymo@google.com>
Date: Thu, 23 Feb 2017 18:37:45 -0800
Subject: [PATCH] update_engine: Allow to tag sockets.

Bug: 35721166
Test: Run update_engine_unittest as system user in enforcing mode.
Change-Id: I9cd63b19e6eed3e1291d36d4c342ecf725407232
---
 public/update_engine.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/public/update_engine.te b/public/update_engine.te
index 3a3340719..31ba14f74 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -6,6 +6,11 @@ type update_engine_data_file, file_type, data_file_type;
 
 net_domain(update_engine);
 
+# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid to tag network
+# sockets.
+allow update_engine qtaguid_proc:file rw_file_perms;
+allow update_engine qtaguid_device:chr_file r_file_perms;
+
 # Following permissions are needed for update_engine.
 allow update_engine self:process { setsched };
 allow update_engine self:capability { fowner sys_admin };
-- 
GitLab