common: Switch Updater app to its own SELinux domain

Change-Id: If0ea1c3af9f75c312e02d63ce2c7d0ec051b4be3
AOSiP · Oct 6, 2020 · 344a734 · 344a734
1 parent 0cfcda6
commit 344a734
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 1 deletion.
diff --git a/common/private/priv_app.te b/common/private/priv_app.te
diff --git a/common/private/seapp_contexts b/common/private/seapp_contexts
@@ -1,2 +1,3 @@
 user=_app isPrivApp=true seinfo=platform name=com.android.gallery3d domain=gallery_app type=app_data_file levelFrom=user
 user=_app isPrivApp=true seinfo=platform name=org.lineageos.snap domain=snap_app type=app_data_file levelFrom=user
+user=_app isPrivApp=true seinfo=platform name=org.lineageos.updater domain=updater_app type=app_data_file levelFrom=user
diff --git a/common/private/update_engine.te b/common/private/update_engine.te
@@ -1,3 +1,6 @@
+# Allow update_engine to call the callback function provided by updater_app
+binder_call(update_engine, updater_app)
+
 # Read updates from storage data
 r_dir_file(update_engine, mnt_user_file)
 r_dir_file(update_engine, storage_file)

diff --git a/common/private/updater_app.te b/common/private/updater_app.te
@@ -0,0 +1,18 @@
+type updater_app, domain, coredomain;
+
+app_domain(updater_app)
+
+binder_call(updater_app, update_engine)
+
+allow updater_app app_api_service:service_manager find;
+allow updater_app system_api_service:service_manager find;
+allow updater_app update_engine_service:service_manager find;
+
+allow updater_app app_data_file:dir create_dir_perms;
+allow updater_app app_data_file:{ file lnk_file } create_file_perms;
+
+allow updater_app ota_package_file:dir create_dir_perms;
+allow updater_app ota_package_file:file create_file_perms;
+
+get_prop(updater_app, default_prop)
+get_prop(updater_app, exported2_default_prop)