Merge "Allow update_verifier to access bootctrl_block_device."

am: e8b176ed * commit 'e8b176ed': Allow update_verifier to access bootctrl_block_device.

Merge "Allow update_verifier to access bootctrl_block_device."
7a0b8efe · Tao Bao · android-build-merger · 637af04e · e8b176ed · 7a0b8efe
Commit 7a0b8efe authored 9 years ago by Tao Bao Committed by android-build-merger 9 years ago
--- a/device.te
+++ b/device.te
@@ -98,3 +98,6 @@ type metadata_block_device, dev_type;
 # The 'misc' partition used by recovery and A/B.
 type misc_block_device, dev_type;
+# Bootctrl block device used by A/B update (update_engine, update_verifier).
+type bootctrl_block_device, dev_type;
--- a/file_contexts
+++ b/file_contexts
@@ -189,6 +189,7 @@
 /system/bin/inputflinger u:object_r:inputflinger_exec:s0
 /system/bin/logd        u:object_r:logd_exec:s0
 /system/bin/uncrypt     u:object_r:uncrypt_exec:s0
+/system/bin/update_verifier u:object_r:update_verifier_exec:s0
 /system/bin/logwrapper  u:object_r:system_file:s0
 /system/bin/vdc         u:object_r:vdc_exec:s0
 /system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0

--- a/update_verifier.te
+++ b/update_verifier.te
+# update_verifier
+type update_verifier, domain;
+type update_verifier_exec, exec_type, file_type;
+init_daemon_domain(update_verifier)
+# Raw writes to bootctrl block device
+allow update_verifier bootctrl_block_device:blk_file rw_file_perms;
+# TODO: Add rules to allow update_verifier to read system_block_device.