From 79db4e47b367b233a0a2eb197c66d3d499c58da1 Mon Sep 17 00:00:00 2001
From: Tao Bao <tbao@google.com>
Date: Tue, 9 Feb 2016 14:12:58 -0800
Subject: [PATCH] update_engine: Allow to access bootctrl_block_device.

update_engine needs to access bootctrl_block_device to get and set the slot to boot.
avc: denied { write } for name="mmcblk0boot1" dev="tmpfs" ino=1266 scontext=u:r:update_engine:s0 tcontext=u:object_r:bootctrl_block_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/mmcblk0boot1" dev="tmpfs" ino=1266 scontext=u:r:update_engine:s0 tcontext=u:object_r:bootctrl_block_device:s0 tclass=blk_file

Also track the name change of the native binder service.
avc:  denied  { add } for service=android.os.UpdateEngineService pid=210 uid=0 scontext=u:r:update_engine:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager

Bug: 27106053
Change-Id: Idbfef18578489db33fead0721e8f26d63db5ce09
(cherry picked from commit 3ec34ceb43b15c30e9c7bf1720ebea24f868d07a)
---
 service_contexts | 2 +-
 update_engine.te | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/service_contexts b/service_contexts
index 747369ef7..ec1194b47 100644
--- a/service_contexts
+++ b/service_contexts
@@ -2,7 +2,7 @@ accessibility                             u:object_r:accessibility_service:s0
 account                                   u:object_r:account_service:s0
 activity                                  u:object_r:activity_service:s0
 alarm                                     u:object_r:alarm_service:s0
-android.os.IUpdateEngine                  u:object_r:update_engine_service:s0
+android.os.UpdateEngineService            u:object_r:update_engine_service:s0
 android.security.keystore                 u:object_r:keystore_service:s0
 android.service.gatekeeper.IGateKeeperService    u:object_r:gatekeeper_service:s0
 appops                                    u:object_r:appops_service:s0
diff --git a/update_engine.te b/update_engine.te
index 3fbfd8a15..39b99361a 100644
--- a/update_engine.te
+++ b/update_engine.te
@@ -33,3 +33,6 @@ allow update_engine update_engine_service:service_manager { add };
 
 # Allow update_engine to call the callback function provided by priv_app.
 binder_call(update_engine, priv_app)
+
+# Allow read/write bootctrl block device.
+allow update_engine bootctrl_block_device:blk_file rw_file_perms;
-- 
GitLab