From d47c1e93ae8dbec88327cf96a4b8d788994dedf0 Mon Sep 17 00:00:00 2001
From: Andreas Gampe <agampe@google.com>
Date: Fri, 8 Jul 2016 18:31:10 -0700
Subject: [PATCH] Sepolicy: Adapt for new A/B OTA flow

To include target slot names in the naming of A/B OTA artifacts,
and new path has been implemented. Instead of passing through
the system server and forking off of installd, otapreopt_chroot
is now driven directly from the otapreopt script.

Change the selinux policy accordingly: allow a transition from
postinstall to otapreopt_chroot, and let otapreopt_chroot inherit
the file descriptors that update_engine had opened (it will close
them immediately, do not give rights to the downstream executables
otapreopt and dex2oat).

Bug: 25612095
Bug: 28069686
Change-Id: I6b476183572c85e75eda4d52f60e4eb5d8f48dbb
---
 installd.te           | 5 -----
 otapreopt_chroot.te   | 7 +++++--
 postinstall.te        | 4 +++-
 postinstall_dexopt.te | 4 ++--
 4 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/installd.te b/installd.te
index ebd759174..ab0aadcd1 100644
--- a/installd.te
+++ b/installd.te
@@ -72,11 +72,6 @@ domain_auto_trans(installd, profman_exec, profman)
 # Run idmap in its own sandbox.
 domain_auto_trans(installd, idmap_exec, idmap)
 
-# Run otapreopt in its own sandbox.
-domain_auto_trans(installd, otapreopt_chroot_exec, otapreopt_chroot)
-# otapreopt_chroot will transition into postinstall_dexopt, which will spawn a child.
-allow installd postinstall_dexopt:process sigchld;
-
 # Upgrade from unlabeled userdata.
 # Just need enough to remove and/or relabel it.
 allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
diff --git a/otapreopt_chroot.te b/otapreopt_chroot.te
index b3f8807b0..3f426709c 100644
--- a/otapreopt_chroot.te
+++ b/otapreopt_chroot.te
@@ -10,5 +10,8 @@ allow otapreopt_chroot self:capability { sys_admin sys_chroot };
 # Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
 domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
 
-# Allow otapreopt to use file descriptors from installd.
-allow otapreopt_chroot installd:fd use;
+# Allow otapreopt to use file descriptors from update-engine. It will
+# close them immediately.
+allow otapreopt_chroot postinstall:fd use;
+allow otapreopt_chroot update_engine:fd use;
+allow otapreopt_chroot update_engine:fifo_file write;
diff --git a/postinstall.te b/postinstall.te
index 5c261efe9..0560606c7 100644
--- a/postinstall.te
+++ b/postinstall.te
@@ -32,4 +32,6 @@ binder_use(postinstall)
 binder_call(postinstall, system_server)
 
 # Need to talk to the otadexopt service.
-allow postinstall otadexopt_service:service_manager find;
\ No newline at end of file
+allow postinstall otadexopt_service:service_manager find;
+
+domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
diff --git a/postinstall_dexopt.te b/postinstall_dexopt.te
index 1a236fc6e..c5b2533a1 100644
--- a/postinstall_dexopt.te
+++ b/postinstall_dexopt.te
@@ -49,8 +49,8 @@ selinux_check_access(postinstall_dexopt)
 # We have to manually transition, as we don't have an entrypoint.
 domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
 
-# installd wants to know about our child.
-allow postinstall_dexopt installd:process sigchld;
+# Postinstall wants to know about our child.
+allow postinstall_dexopt postinstall:process sigchld;
 
 # Allow otapreopt to use file descriptors from otapreopt_chroot.
 # TODO: Probably we can actually close file descriptors...
-- 
GitLab