Allow update_engine to use Binder IPC.

Register service with servicemanager and name the context. avc: denied { call } for scontext=u:r:update_engine:s0 tcontext=u:r:servicemanager:s0 tclass=binder avc: denied { add } for service=android.os.IUpdateEngine scontext=u:r:update_engine:s0 tcontext=u:object_r:update_engine_service:s0 tclass=service_manager Also allow priv_app to communicate with update_engine. avc: denied { find } for service=android.os.IUpdateEngine scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:update_engine_service:s0 tclass=service_manager avc: denied { call } for scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:update_engine:s0 tclass=binder avc: denied { call } for scontext=u:r:update_engine:s0 tcontext=u:r:priv_app:s0 tclass=binder Change-Id: Ib4498717c1a72f5faab5ea04c636924ee4eb412c

Allow update_engine to use Binder IPC.
dce317cf · Tao Bao · 2fdeab37 · dce317cf · dce317cf · dce317cf
Commit dce317cf authored 9 years ago by Tao Bao
--- a/priv_app.te
+++ b/priv_app.te
@@ -72,6 +72,10 @@ allow priv_app fuse_device:chr_file { read write };
 allow priv_app sysfs_zram:dir search;
 allow priv_app sysfs_zram:file r_file_perms;
+# Allow GMS core to communicate with update_engine for A/B update.
+binder_call(priv_app, update_engine)
+allow priv_app update_engine_service:service_manager find;
 ###
 ### neverallow rules
 ###

--- a/service.te
+++ b/service.te
@@ -11,6 +11,7 @@ type nfc_service,               service_manager_type;
 type radio_service,             service_manager_type;
 type surfaceflinger_service,    service_manager_type;
 type system_app_service,        service_manager_type;
+type update_engine_service,     service_manager_type;
 # system_server_services broken down
 type accessibility_service, app_api_service, system_server_service, service_manager_type;

--- a/service_contexts
+++ b/service_contexts
@@ -2,6 +2,7 @@ accessibility                             u:object_r:accessibility_service:s0
 account                                   u:object_r:account_service:s0
 activity                                  u:object_r:activity_service:s0
 alarm                                     u:object_r:alarm_service:s0
+android.os.IUpdateEngine                  u:object_r:update_engine_service:s0
 android.security.keystore                 u:object_r:keystore_service:s0
 android.service.gatekeeper.IGateKeeperService    u:object_r:gatekeeper_service:s0
 appops                                    u:object_r:appops_service:s0

--- a/update_engine.te
+++ b/update_engine.te
@@ -26,3 +26,10 @@ allow update_engine system_block_device:blk_file rw_file_perms;
 # Don't allow kernel module loading, just silence the logs.
 dontaudit update_engine kernel:system module_request;
+# Register the service to perform Binder IPC.
+binder_use(update_engine)
+allow update_engine update_engine_service:service_manager { add };
+# Allow update_engine to call the callback function provided by priv_app.
+binder_call(update_engine, priv_app)