common: Switch Updater app to its own SELinux domain Change-Id: If0ea1c3af9f75c312e02d63ce2c7d0ec051b4be3

commit: 2fe3cf32b5359481ce13f1773cd6dd551e4c048e [log] [tgz]
author: LuK1337 <priv.luk@gmail.com> Tue Sep 29 12:49:21 2020 +0200
committer: Łukasz Patron <priv.luk@gmail.com> Mon Oct 05 10:43:02 2020 +0200
tree: cb12d6ef5273e119eb1248c73263df193bb2df80
parent: 1b7f792df200ac46b1f508826e810e94ab1c3388 [diff]
diff --git a/common/private/priv_app.te b/common/private/priv_app.te
deleted file mode 100644
index 1d7fca2..0000000
--- a/common/private/priv_app.te
+++ /dev/null

@@ -1 +0,0 @@
-allow priv_app ota_package_file:dir create_dir_perms;

diff --git a/common/private/seapp_contexts b/common/private/seapp_contexts
index 9538d60..0b94f96 100644
--- a/common/private/seapp_contexts
+++ b/common/private/seapp_contexts

@@ -1,2 +1,3 @@
 user=_app isPrivApp=true seinfo=platform name=com.android.gallery3d domain=gallery_app type=app_data_file levelFrom=user
 user=_app isPrivApp=true seinfo=platform name=org.lineageos.snap domain=snap_app type=app_data_file levelFrom=user
+user=_app isPrivApp=true seinfo=platform name=org.lineageos.updater domain=updater_app type=app_data_file levelFrom=user

diff --git a/common/private/update_engine.te b/common/private/update_engine.te
index c257b03..7718ff9 100644
--- a/common/private/update_engine.te
+++ b/common/private/update_engine.te

@@ -1,3 +1,6 @@
+# Allow update_engine to call the callback function provided by updater_app
+binder_call(update_engine, updater_app)
+
 # Read updates from storage data
 r_dir_file(update_engine, mnt_user_file)
 r_dir_file(update_engine, storage_file)

diff --git a/common/private/updater_app.te b/common/private/updater_app.te
new file mode 100644
index 0000000..ad42ccc
--- /dev/null
+++ b/common/private/updater_app.te

@@ -0,0 +1,18 @@
+type updater_app, domain, coredomain;
+
+app_domain(updater_app)
+
+binder_call(updater_app, update_engine)
+
+allow updater_app app_api_service:service_manager find;
+allow updater_app system_api_service:service_manager find;
+allow updater_app update_engine_service:service_manager find;
+
+allow updater_app app_data_file:dir create_dir_perms;
+allow updater_app app_data_file:{ file lnk_file } create_file_perms;
+
+allow updater_app ota_package_file:dir create_dir_perms;
+allow updater_app ota_package_file:file create_file_perms;
+
+get_prop(updater_app, default_prop)
+get_prop(updater_app, exported2_default_prop)
commit	2fe3cf32b5359481ce13f1773cd6dd551e4c048e	[log] [tgz]
author	LuK1337 <priv.luk@gmail.com>	Tue Sep 29 12:49:21 2020 +0200
committer	Łukasz Patron <priv.luk@gmail.com>	Mon Oct 05 10:43:02 2020 +0200
tree	cb12d6ef5273e119eb1248c73263df193bb2df80
parent	1b7f792df200ac46b1f508826e810e94ab1c3388 [diff]