Add sepolicy for starting the snapuserd daemon through init. Restrict access to controlling snapuserd via ctl properties. Allow update_engine to control snapuserd, and connect/write to its socket. update_engine needs this access so it can create the appropriate dm-user device (which sends queries to snapuserd), which is then used to build the update snapshot. This also fixes a bug where /dev/dm-user was not properly labelled. As a result, snapuserd and update_engine have been granted r_dir_perms to dm_user_device. Bug: 168554689 Test: full ota with VABC enabled Change-Id: I1f65ba9f16a83fe3e8ed41a594421939a256aec0

commit: 09bb944221a1e3adeed14eb110895fca2f9b347d [log] [tgz]
author: David Anderson <dvander@google.com> Fri Nov 13 00:45:59 2020 -0800
committer: David Anderson <dvander@google.com> Thu Nov 19 21:03:30 2020 +0000
tree: 95baab6523c956c31e448067f7535bfeb392010b
parent: 5d6020d9f5a60e92a8ec7109344145f3d4ab533d [diff] [blame]
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index d110238..dd90fbc 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te

@@ -65,6 +65,10 @@
 # apply / verify updates on devices mapped via device mapper
 allow update_engine_common dm_device:blk_file rw_file_perms;
 
+# read /dev/dm-user, so that we can inotify wait for control devices to be
+# asynchronously created by ueventd.
+allow update_engine dm_user_device:dir r_dir_perms;
+
 # read / write metadata on super device to resize partitions
 allow update_engine_common super_block_device_type:blk_file rw_file_perms;
commit	09bb944221a1e3adeed14eb110895fca2f9b347d	[log] [tgz]
author	David Anderson <dvander@google.com>	Fri Nov 13 00:45:59 2020 -0800
committer	David Anderson <dvander@google.com>	Thu Nov 19 21:03:30 2020 +0000
tree	95baab6523c956c31e448067f7535bfeb392010b
parent	5d6020d9f5a60e92a8ec7109344145f3d4ab533d [diff] [blame]