From b74017d3b3b4cc63a0a362aebbf3d39733a233c6 Mon Sep 17 00:00:00 2001
From: Alex Deymo <deymo@google.com>
Date: Wed, 22 Mar 2017 21:01:08 -0700
Subject: [PATCH] Allow update_engine to kill postinstall process.

This fixes the following denial in O:

 update_engine: type=1400 audit(0.0:2100): avc: denied { sigkill } for scontext=u:r:update_engine:s0 tcontext=u:r:postinstall:s0 tclass=process permissive=0

Bug: 35111618
Test: update_engine_client --cancel during postinstall
Change-Id: I7456a95b5ca6fbdb268a5e16a13e2409758141f5
---
 public/update_engine_common.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 29d730ce4..8e454cc0e 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -30,7 +30,7 @@ allow update_engine_common postinstall_file:dir r_dir_perms;
 allow update_engine_common shell_exec:file rx_file_perms;
 
 # Allow update_engine_common to suspend, resume and kill the postinstall program.
-allow update_engine_common postinstall:process { signal sigstop };
+allow update_engine_common postinstall:process { signal sigstop sigkill };
 
 # access /proc/misc
 # Access is also granted to proc:file, but it is likely unneeded
-- 
GitLab