diff options
| author | alk3pInjection <webmaster@raspii.tech> | 2022-02-06 10:11:45 +0800 |
|---|---|---|
| committer | alk3pInjection <webmaster@raspii.tech> | 2022-03-03 13:57:18 +0800 |
| commit | 6cf7f8f40bd93f2cd6dfb9d03870f3852fb3dbe7 (patch) | |
| tree | 4981ad54c01916f09e1706437cd008f562379d7d | |
| parent | 6ab756b547109f8b8a7a3e4c342dd8e6679b4059 (diff) | |
ice: Build Updater
also squashed with the following changes:
Author: Michael Bestas <mkbestas@lineageos.org>
Date: Sat Oct 9 15:49:50 2021 +0300
common: Remove unused updater policy
* Updater has its own SELinux domain
Change-Id: I9bfa8879e167ffe97a15839e8baa6407c4085232
Author: Michael Bestas <mkbestas@lineageos.org>
Date: Fri Oct 8 17:47:20 2021 +0300
common: exported2_default_prop -> build_prop
Change-Id: I535b88b360d3bf6a4487086c15d90a2800667056
Author: Nolen Johnson <johnsonnolen@gmail.com>
Date: Fri Nov 13 16:28:58 2020 -0500
updater_app: Grant additional permissions
avc: denied { search } for name="recovery" dev="mmcblk0p53" ino=25601 scontext=u:r:updater_app:s0:c512,c768 tcontext=u:object_r:cache_recovery_file:s0 tclass=dir permissive=1 app=org.lineageos.updater
avc: denied { write } for name="recovery" dev="mmcblk0p53" ino=25601 scontext=u:r:updater_app:s0:c512,c768 tcontext=u:object_r:cache_recovery_file:s0 tclass=dir permissive=1 app=org.lineageos.updater
avc: denied { write open } for path="/cache/recovery/uncrypt_file" dev="mmcblk0p53" ino=25625 scontext=u:r:updater_app:s0:c512,c768 tcontext=u:object_r:cache_recovery_file:s0:c512,c768 tclass=file permissive=1 app=org.lineageos.updater
avc: denied { setattr } for name="uncrypt_file" dev="mmcblk0p53" ino=25625 scontext=u:r:updater_app:s0:c512,c768 tcontext=u:object_r:cache_recovery_file:s0:c512,c768 tclass=file permissive=1 app=org.lineageos.updater
avc: denied { find } for pid=18378 uid=10077 name=recovery scontext=u:r:updater_app:s0:c512,c768 tcontext=u:object_r:recovery_service:s0 tclass=service_manager permissive=1
avc: denied { search } for name="/" dev="mmcblk0p53" ino=2 scontext=u:r:updater_app:s0:c512,c768 tcontext=u:object_r:cache_file:s0 tclass=dir permissive=0 app=org.lineageos.updater
avc: denied { unlink } for name="uncrypt_file" dev="mmcblk0p53" ino=25625 scontext=u:r:updater_app:s0:c512,c768 tcontext=u:object_r:cache_recovery_file:s0 tclass=file permissive=1 app=org.lineageos.updater
avc: denied { create } for name="uncrypt_file" scontext=u:r:updater_app:s0:c512,c768 tcontext=u:object_r:cache_recovery_file:s0:c512,c768 tclass=file permissive=1 app=org.lineageos.updater
Change-Id: I55d9809be8d3782b33ec088f965ce1dd06401175
Author: Bruno Martins <bgcngm@gmail.com>
Date: Thu Nov 12 00:16:09 2020 +0000
Updater: Allow binder calls to gpu service
Change-Id: Id01a050c43b81b128dc262a542c4dd7b4b1c76f6
Author: Eamon Powell <eamonpowell@outlook.com>
Date: Wed Oct 7 00:18:42 2020 +1100
updater_app: Allow updater_app domain to access the network
When the Updater app was switched from the priv_app selinux domain
to its own domain it accidentally lost network permissions.
Change-Id: Ieafcf0ae8fb67b3eea6f652326fe232149e159d4
Author: LuK1337 <priv.luk@gmail.com>
Date: Tue Sep 29 12:49:21 2020 +0200
common: Switch Updater app to its own SELinux domain
Change-Id: If0ea1c3af9f75c312e02d63ce2c7d0ec051b4be3
Author: Dan Pasanen <dan.pasanen@gmail.com>
Date: Thu Feb 2 08:14:41 2017 -0600
sepolicy: add rules for updater and update_engine
* We need special exceptions for update_engine scripts because we
handle backuptool operations through it.
* priv_app needs to be able to make ota package dirs in order to
put the ota in the correct spot.
Change-Id: I42a421e4d84adde9514932a056c082d1cb3e09b4
Author: Dan Pasanen <dan.pasanen@gmail.com>
Date: Mon Feb 5 16:47:49 2018 -0600
common: add update_engine policies
Change-Id: I5d3a8b60b0f854d009af2b45d9ca23f484d5d2a1
Change-Id: If89f570a0d1277a980c02dd93917a73ac5a9b20c
| -rw-r--r-- | sepolicy/private/rootfs.te | 1 | ||||
| -rw-r--r-- | sepolicy/private/sdcardfs.te | 1 | ||||
| -rw-r--r-- | sepolicy/private/seapp_contexts | 1 | ||||
| -rw-r--r-- | sepolicy/private/update_engine.te | 9 | ||||
| -rw-r--r-- | sepolicy/private/updater_app.te | 26 | ||||
| -rw-r--r-- | target/product/packages.mk | 5 |
6 files changed, 43 insertions, 0 deletions
diff --git a/sepolicy/private/rootfs.te b/sepolicy/private/rootfs.te new file mode 100644 index 0000000..7cfb964 --- /dev/null +++ b/sepolicy/private/rootfs.te @@ -0,0 +1 @@ +allow rootfs labeledfs:filesystem associate; diff --git a/sepolicy/private/sdcardfs.te b/sepolicy/private/sdcardfs.te new file mode 100644 index 0000000..245f9a8 --- /dev/null +++ b/sepolicy/private/sdcardfs.te @@ -0,0 +1 @@ +allow sdcardfs labeledfs:filesystem associate; diff --git a/sepolicy/private/seapp_contexts b/sepolicy/private/seapp_contexts new file mode 100644 index 0000000..a960b57 --- /dev/null +++ b/sepolicy/private/seapp_contexts @@ -0,0 +1 @@ +user=_app isPrivApp=true seinfo=platform name=org.lineageos.updater domain=updater_app type=app_data_file levelFrom=user diff --git a/sepolicy/private/update_engine.te b/sepolicy/private/update_engine.te new file mode 100644 index 0000000..26ebc33 --- /dev/null +++ b/sepolicy/private/update_engine.te @@ -0,0 +1,9 @@ +# Allow update_engine to call the callback function provided by updater_app +binder_call(update_engine, updater_app) + +# Read updates from storage data +r_dir_file(update_engine, mnt_user_file) +r_dir_file(update_engine, storage_file) + +# Allow mount and unmount of system partition +allow update_engine labeledfs:filesystem { mount unmount }; diff --git a/sepolicy/private/updater_app.te b/sepolicy/private/updater_app.te new file mode 100644 index 0000000..8589183 --- /dev/null +++ b/sepolicy/private/updater_app.te @@ -0,0 +1,26 @@ +type updater_app, domain, coredomain; + +app_domain(updater_app) +net_domain(updater_app) + +binder_call(updater_app, gpuservice) +binder_call(updater_app, update_engine) + +allow updater_app app_api_service:service_manager find; +allow updater_app recovery_service:service_manager find; +allow updater_app system_api_service:service_manager find; +allow updater_app update_engine_service:service_manager find; + +allow updater_app app_data_file:dir create_dir_perms; +allow updater_app app_data_file:{ file lnk_file } create_file_perms; + +allow updater_app cache_file:dir r_dir_perms; + +allow updater_app cache_recovery_file:dir rw_dir_perms; +allow updater_app cache_recovery_file:file create_file_perms; + +allow updater_app ota_package_file:dir create_dir_perms; +allow updater_app ota_package_file:file create_file_perms; + +get_prop(updater_app, default_prop) +get_prop(updater_app, build_prop) diff --git a/target/product/packages.mk b/target/product/packages.mk index 00393c5..81f9959 100644 --- a/target/product/packages.mk +++ b/target/product/packages.mk @@ -19,6 +19,11 @@ PRODUCT_PACKAGES += \ SimpleDeviceConfig \ ThemePicker +ifeq ($(AB_OTA_UPDATER), true) +PRODUCT_PACKAGES += \ + Updater +endif + # HIDL PRODUCT_PACKAGES += \ android.hidl.base@1.0 \ |