From f9d42c518c56606abf086276eee1e70c91435a35 Mon Sep 17 00:00:00 2001 From: joeshih Date: Wed, 14 Jun 2023 12:41:02 +0800 Subject: [PATCH] [SEPolicy][sota_app]Move sota_app to gs-common. - Refer to go/pixel-defrag. Bug: 287167439 Test: Forrest build to verify pass. Change-Id: I4279dfcdb56684332e617f073ed5efc191a53390 --- sota_app/factoryota.mk | 4 +++ .../sepolicy/system_ext/factory_ota_app.te | 32 +++++++++++++++++++ .../sepolicy/system_ext/property_contexts | 5 +++ sota_app/sepolicy/system_ext/seapp_contexts | 2 ++ sota_app/sepolicy/system_ext/vendor_init.te | 1 + 5 files changed, 44 insertions(+) create mode 100644 sota_app/factoryota.mk create mode 100644 sota_app/sepolicy/system_ext/factory_ota_app.te create mode 100644 sota_app/sepolicy/system_ext/property_contexts create mode 100644 sota_app/sepolicy/system_ext/seapp_contexts create mode 100644 sota_app/sepolicy/system_ext/vendor_init.te diff --git a/sota_app/factoryota.mk b/sota_app/factoryota.mk new file mode 100644 index 0000000..14ed2b5 --- /dev/null +++ b/sota_app/factoryota.mk @@ -0,0 +1,4 @@ +PRODUCT_PACKAGES += \ + FactoryOtaPrebuilt + +SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/sota_app/sepolicy/system_ext diff --git a/sota_app/sepolicy/system_ext/factory_ota_app.te b/sota_app/sepolicy/system_ext/factory_ota_app.te new file mode 100644 index 0000000..f48adeb --- /dev/null +++ b/sota_app/sepolicy/system_ext/factory_ota_app.te @@ -0,0 +1,32 @@ +type factory_ota_app, domain, coredomain; + +app_domain(factory_ota_app) +net_domain(factory_ota_app) + +# Write to /data/ota_package for OTA packages. +# Factory OTA client will download OTA image into ota_package folder and unzip it. +# Than Update engine could use it to execute OTA process. +# So Factory OTA client need read / write and create file access right for this folder +allow factory_ota_app ota_package_file:dir rw_dir_perms; +allow factory_ota_app ota_package_file:file create_file_perms; + +# Properties +# For write system property persist.* +set_prop(factory_ota_app, sota_prop); + +# Services +# For get access WiFi manager service and activity service +allow factory_ota_app app_api_service:service_manager find; +# Allow Factory OTA to call Update Engine +binder_call(factory_ota_app, update_engine) +# Allow Update Engine to call the Factory OTA callback +binder_call(update_engine, factory_ota_app) +#For access update engine function +allow factory_ota_app update_engine_service:service_manager find; +#For disable NFC wake up device feature +allow factory_ota_app nfc_service:service_manager find; +#For get device IMEI +allow factory_ota_app radio_service:service_manager find; + +# For suppress more GPU service sepolicy error log. +dontaudit factory_ota_app gpuservice:binder call; diff --git a/sota_app/sepolicy/system_ext/property_contexts b/sota_app/sepolicy/system_ext/property_contexts new file mode 100644 index 0000000..deb34dc --- /dev/null +++ b/sota_app/sepolicy/system_ext/property_contexts @@ -0,0 +1,5 @@ +ro.boot.sota u:object_r:sota_prop:s0 +ro.boot.sota. u:object_r:sota_prop:s0 +persist.vendor.factoryota. u:object_r:sota_prop:s0 +persist.vendor.radio.bootwithlpm u:object_r:sota_prop:s0 +persist.vendor.nfc.factoryota. u:object_r:sota_prop:s0 diff --git a/sota_app/sepolicy/system_ext/seapp_contexts b/sota_app/sepolicy/system_ext/seapp_contexts new file mode 100644 index 0000000..673f451 --- /dev/null +++ b/sota_app/sepolicy/system_ext/seapp_contexts @@ -0,0 +1,2 @@ +# Factory OTA +user=_app seinfo=platform name=com.google.android.factoryota domain=factory_ota_app levelFrom=all diff --git a/sota_app/sepolicy/system_ext/vendor_init.te b/sota_app/sepolicy/system_ext/vendor_init.te new file mode 100644 index 0000000..11191e3 --- /dev/null +++ b/sota_app/sepolicy/system_ext/vendor_init.te @@ -0,0 +1 @@ +set_prop(vendor_init, sota_prop)