From 8eaf25856eab787d5226441b6f3032fdfef9cbb9 Mon Sep 17 00:00:00 2001
From: Tao Bao <tbao@google.com>
Date: Fri, 4 Dec 2015 17:48:50 -0800
Subject: [PATCH] Allow update_verifier to access bootctrl_block_device.

Bug: 26039641
Change-Id: Ifd96b105f054b67f881529db3fe94718cab4a0f4
---
 device.te          |  3 +++
 file_contexts      |  1 +
 update_verifier.te | 10 ++++++++++
 3 files changed, 14 insertions(+)
 create mode 100644 update_verifier.te

diff --git a/device.te b/device.te
index 6457017d3..880212cd4 100644
--- a/device.te
+++ b/device.te
@@ -98,3 +98,6 @@ type metadata_block_device, dev_type;
 
 # The 'misc' partition used by recovery and A/B.
 type misc_block_device, dev_type;
+
+# Bootctrl block device used by A/B update (update_engine, update_verifier).
+type bootctrl_block_device, dev_type;
diff --git a/file_contexts b/file_contexts
index 075154c4b..a54876727 100644
--- a/file_contexts
+++ b/file_contexts
@@ -189,6 +189,7 @@
 /system/bin/inputflinger u:object_r:inputflinger_exec:s0
 /system/bin/logd        u:object_r:logd_exec:s0
 /system/bin/uncrypt     u:object_r:uncrypt_exec:s0
+/system/bin/update_verifier u:object_r:update_verifier_exec:s0
 /system/bin/logwrapper  u:object_r:system_file:s0
 /system/bin/vdc         u:object_r:vdc_exec:s0
 /system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0
diff --git a/update_verifier.te b/update_verifier.te
new file mode 100644
index 000000000..42567fec9
--- /dev/null
+++ b/update_verifier.te
@@ -0,0 +1,10 @@
+# update_verifier
+type update_verifier, domain;
+type update_verifier_exec, exec_type, file_type;
+
+init_daemon_domain(update_verifier)
+
+# Raw writes to bootctrl block device
+allow update_verifier bootctrl_block_device:blk_file rw_file_perms;
+
+# TODO: Add rules to allow update_verifier to read system_block_device.
-- 
GitLab