aospa: sepolicy: Add ParanoidHub and additional update_engine polices

* common: add update_engine policies Dan Pasanen <dan.pasanen@gmail.com> * sepolicy: add rules for updater and update_engine Dan Pasanen <dan.pasanen@gmail.com> * common: Switch Updater app to its own SELinux domain Łukasz Patron <priv.luk@gmail.com> * updater_app: Allow updater_app domain to access the network Eamon Powell <eamonpowell@outlook.com> * Updater: Allow binder calls to gpu service Bruno Martins <bgcngm@gmail.com> * updater_app: Grant additional permissions Nolen Johnson <johnsonnolen@gmail.com> * common: exported2_default_prop -> build_prop Michael Bestas <mkbestas@lineageos.org> Change-Id: I14f2ccfa17f6b88924d341b69305343f97877f70
2022-07-19 13:42:54 -04:00 · 2022-07-19 13:42:54 -04:00 · 60b01a2afe
parent 1dfffd3b21
commit 60b01a2afe
6 changed files with 41 additions and 0 deletions
--- a/sepolicy/private/file_contexts
+++ b/sepolicy/private/file_contexts
@ -1,2 +1,5 @@
+# ParanoidHub
+/data/hub_updates(/.*)?           u:object_r:ota_package_file:s0
+
 # Pocket Judge
 /sys/kernel/pocket_judge(/.*)?	        u:object_r:pocket_judge_sysfs:s0
--- a/sepolicy/private/hub_app.te
+++ b/sepolicy/private/hub_app.te
@ -0,0 +1,26 @@
+type hub_app, domain, coredomain;
+
+app_domain(hub_app)
+net_domain(hub_app)
+
+binder_call(hub_app, gpuservice)
+binder_call(hub_app, update_engine)
+
+allow hub_app app_api_service:service_manager find;
+allow hub_app recovery_service:service_manager find;
+allow hub_app system_api_service:service_manager find;
+allow hub_app update_engine_service:service_manager find;
+
+allow hub_app app_data_file:dir create_dir_perms;
+allow hub_app app_data_file:{ file lnk_file } create_file_perms;
+
+allow hub_app cache_file:dir r_dir_perms;
+
+allow hub_app cache_recovery_file:dir rw_dir_perms;
+allow hub_app cache_recovery_file:file create_file_perms;
+
+allow hub_app ota_package_file:dir create_dir_perms;
+allow hub_app ota_package_file:file create_file_perms;
+
+get_prop(hub_app, default_prop)
+get_prop(hub_app, build_prop)
--- a/sepolicy/private/rootfs.te
+++ b/sepolicy/private/rootfs.te
@ -0,0 +1 @@
+allow rootfs labeledfs:filesystem associate;
--- a/sepolicy/private/sdcardfs.te
+++ b/sepolicy/private/sdcardfs.te
@ -0,0 +1 @@
+allow sdcardfs labeledfs:filesystem associate;
--- a/sepolicy/private/seapp_contexts
+++ b/sepolicy/private/seapp_contexts
@ -0,0 +1 @@
+user=_app isPrivApp=true seinfo=platform name=co.aospa.hub domain=hub_app type=app_data_file levelFrom=user
--- a/sepolicy/private/update_engine.te
+++ b/sepolicy/private/update_engine.te
@ -0,0 +1,9 @@
+# Allow update_engine to call the callback function provided by updater_app
+binder_call(update_engine, hub_app)
+
+# Read updates from storage data
+r_dir_file(update_engine, mnt_user_file)
+r_dir_file(update_engine, storage_file)
+
+# Allow mount and unmount of system partition
+allow update_engine labeledfs:filesystem { mount unmount };
				`@ -0,0 +1 @@`
				`allow rootfs labeledfs:filesystem associate;`
				`@ -0,0 +1 @@`
				`allow sdcardfs labeledfs:filesystem associate;`
				`@ -0,0 +1 @@`
				`user=_app isPrivApp=true seinfo=platform name=co.aospa.hub domain=hub_app type=app_data_file levelFrom=user`