Merge "[SEPolicy][sota_app]Move sota_app to gs-common." into udc-d1-dev am: 89ee4a6375 am: 9d44625b4b am: e28109b8cf

Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs-common/+/23658709 Change-Id: I0726b99892ac3fd3ea2d87a707317fea86e0143a Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-06-19 07:50:07 +00:00 · 2023-06-19 07:50:07 +00:00 · 6afe14c0f2
commit 6afe14c0f2
parent d78907c353 e28109b8cf
5 changed files with 44 additions and 0 deletions
--- a/sota_app/factoryota.mk
+++ b/sota_app/factoryota.mk
@ -0,0 +1,4 @@
+PRODUCT_PACKAGES += \
+    FactoryOtaPrebuilt
+
+SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/sota_app/sepolicy/system_ext
--- a/sota_app/sepolicy/system_ext/factory_ota_app.te
+++ b/sota_app/sepolicy/system_ext/factory_ota_app.te
@ -0,0 +1,32 @@
+type factory_ota_app, domain, coredomain;
+
+app_domain(factory_ota_app)
+net_domain(factory_ota_app)
+
+# Write to /data/ota_package for OTA packages.
+# Factory OTA client will download OTA image into ota_package folder and unzip it.
+# Than Update engine could use it to execute OTA process.
+# So Factory OTA client need read / write and create file access right for this folder
+allow factory_ota_app ota_package_file:dir rw_dir_perms;
+allow factory_ota_app ota_package_file:file create_file_perms;
+
+# Properties
+# For write system property persist.*
+set_prop(factory_ota_app, sota_prop);
+
+# Services
+# For get access WiFi manager service and activity service
+allow factory_ota_app app_api_service:service_manager find;
+# Allow Factory OTA to call Update Engine
+binder_call(factory_ota_app, update_engine)
+# Allow Update Engine to call the Factory OTA callback
+binder_call(update_engine, factory_ota_app)
+#For access update engine function
+allow factory_ota_app update_engine_service:service_manager find;
+#For disable NFC wake up device feature
+allow factory_ota_app nfc_service:service_manager find;
+#For get device IMEI
+allow factory_ota_app radio_service:service_manager find;
+
+# For suppress more GPU service sepolicy error log.
+dontaudit factory_ota_app gpuservice:binder call;
--- a/sota_app/sepolicy/system_ext/property_contexts
+++ b/sota_app/sepolicy/system_ext/property_contexts
@ -0,0 +1,5 @@
+ro.boot.sota                                    u:object_r:sota_prop:s0
+ro.boot.sota.                                   u:object_r:sota_prop:s0
+persist.vendor.factoryota.                      u:object_r:sota_prop:s0
+persist.vendor.radio.bootwithlpm                u:object_r:sota_prop:s0
+persist.vendor.nfc.factoryota.                  u:object_r:sota_prop:s0
--- a/sota_app/sepolicy/system_ext/seapp_contexts
+++ b/sota_app/sepolicy/system_ext/seapp_contexts
@ -0,0 +1,2 @@
+# Factory OTA
+user=_app seinfo=platform name=com.google.android.factoryota domain=factory_ota_app levelFrom=all
--- a/sota_app/sepolicy/system_ext/vendor_init.te
+++ b/sota_app/sepolicy/system_ext/vendor_init.te
@ -0,0 +1 @@
+set_prop(vendor_init, sota_prop)