[SEPolicy][sota_app]Move sota_app to gs-common.

- Refer to go/pixel-defrag. Bug: 287167439 Test: Forrest build to verify pass. Change-Id: I4279dfcdb56684332e617f073ed5efc191a53390
2023-06-14 12:41:02 +08:00 · 2023-06-14 12:41:02 +08:00 · f9d42c518c
commit f9d42c518c
parent dca837f2be
5 changed files with 44 additions and 0 deletions
--- a/sota_app/factoryota.mk
+++ b/sota_app/factoryota.mk
@ -0,0 +1,4 @@
+PRODUCT_PACKAGES += \
+    FactoryOtaPrebuilt
+
+SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/sota_app/sepolicy/system_ext
--- a/sota_app/sepolicy/system_ext/factory_ota_app.te
+++ b/sota_app/sepolicy/system_ext/factory_ota_app.te
@ -0,0 +1,32 @@
+type factory_ota_app, domain, coredomain;
+
+app_domain(factory_ota_app)
+net_domain(factory_ota_app)
+
+# Write to /data/ota_package for OTA packages.
+# Factory OTA client will download OTA image into ota_package folder and unzip it.
+# Than Update engine could use it to execute OTA process.
+# So Factory OTA client need read / write and create file access right for this folder
+allow factory_ota_app ota_package_file:dir rw_dir_perms;
+allow factory_ota_app ota_package_file:file create_file_perms;
+
+# Properties
+# For write system property persist.*
+set_prop(factory_ota_app, sota_prop);
+
+# Services
+# For get access WiFi manager service and activity service
+allow factory_ota_app app_api_service:service_manager find;
+# Allow Factory OTA to call Update Engine
+binder_call(factory_ota_app, update_engine)
+# Allow Update Engine to call the Factory OTA callback
+binder_call(update_engine, factory_ota_app)
+#For access update engine function
+allow factory_ota_app update_engine_service:service_manager find;
+#For disable NFC wake up device feature
+allow factory_ota_app nfc_service:service_manager find;
+#For get device IMEI
+allow factory_ota_app radio_service:service_manager find;
+
+# For suppress more GPU service sepolicy error log.
+dontaudit factory_ota_app gpuservice:binder call;
--- a/sota_app/sepolicy/system_ext/property_contexts
+++ b/sota_app/sepolicy/system_ext/property_contexts
@ -0,0 +1,5 @@
+ro.boot.sota                                    u:object_r:sota_prop:s0
+ro.boot.sota.                                   u:object_r:sota_prop:s0
+persist.vendor.factoryota.                      u:object_r:sota_prop:s0
+persist.vendor.radio.bootwithlpm                u:object_r:sota_prop:s0
+persist.vendor.nfc.factoryota.                  u:object_r:sota_prop:s0
--- a/sota_app/sepolicy/system_ext/seapp_contexts
+++ b/sota_app/sepolicy/system_ext/seapp_contexts
@ -0,0 +1,2 @@
+# Factory OTA
+user=_app seinfo=platform name=com.google.android.factoryota domain=factory_ota_app levelFrom=all
--- a/sota_app/sepolicy/system_ext/vendor_init.te
+++ b/sota_app/sepolicy/system_ext/vendor_init.te
@ -0,0 +1 @@
+set_prop(vendor_init, sota_prop)