Make A/B backuptool permissive

Change-Id: Ib1f52f40dab26ac4575e06bfd54b88809b00f8d3
AOSiP · Jan 5, 2019 · 618adbf · 618adbf
1 parent 75ac3aa
commit 618adbf
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 8 deletions.
diff --git a/common/private/backuptool.te b/common/private/backuptool.te
@@ -0,0 +1,5 @@
+type backuptool, domain, coredomain;
+
+permissive backuptool;
+
+neverallow { domain -update_engine } backuptool:process transition;
diff --git a/common/private/update_engine.te b/common/private/update_engine.te
@@ -1,13 +1,10 @@
-allow update_engine self:capability { dac_override dac_read_search sys_rawio };
-
+# Read updates from storage data
 r_dir_file(update_engine, mnt_user_file)
 r_dir_file(update_engine, storage_file)
 
-allow update_engine self:capability { chown fsetid sys_rawio };
-
+# Allow mount and unmount of system partition
 allow update_engine labeledfs:filesystem { mount unmount };
 
-allow update_engine { media_rw_data_file rootfs sdcardfs system_data_file system_file }:dir create_dir_perms;
-allow update_engine { media_rw_data_file rootfs sdcardfs system_data_file system_file }:{ file lnk_file } create_file_perms;
-allow update_engine { otapreopt_chroot_exec rootfs system_file toolbox_exec }:file rx_file_perms;
-allow update_engine { rootfs system_file }:file { relabelfrom relabelto };
+# Allow transition to backuptool domain
+allow update_engine self:process setexec;
+domain_trans(update_engine, otapreopt_chroot_exec, backuptool)