From f43af3a63e00711a1821c45e94248b6b55a5ebb5 Mon Sep 17 00:00:00 2001
From: Alex Deymo <deymo@google.com>
Date: Tue, 5 Apr 2016 23:00:31 +0000
Subject: [PATCH] Revert "Remove "exec_type" from postinstall_file."

We decided a different approach for these policies in the
meeting today.

This reverts commit 5507fa6672455ce3331a099f48a2977dd084b63d.

Bug: 28008031
Change-Id: Id86520660bdbc3fc36ac4acf51082547d6a559eb
---
 file.te          |  2 +-
 update_engine.te | 12 +++++++++---
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/file.te b/file.te
index 833e41a4f..b789e36e5 100644
--- a/file.te
+++ b/file.te
@@ -117,7 +117,7 @@ type storage_stub_file, file_type;
 # /postinstall: Mount point used by update_engine to run postinstall.
 type postinstall_mnt_dir, file_type;
 # Files inside the /postinstall mountpoint are all labeled as postinstall_file.
-type postinstall_file, file_type;
+type postinstall_file, file_type, exec_type;
 
 # /data/misc subdirectories
 type adb_keys_file, file_type, data_file_type;
diff --git a/update_engine.te b/update_engine.te
index 06ae5212d..cf614e6a0 100644
--- a/update_engine.te
+++ b/update_engine.te
@@ -36,13 +36,19 @@ allow update_engine postinstall_mnt_dir:dir mounton;
 allow update_engine postinstall_file:filesystem { mount unmount relabelfrom relabelto };
 allow update_engine labeledfs:filesystem relabelfrom;
 
-# Allow update_engine to read and execute postinstall_file, which is what the
-# postinstall program is relabeled to regardless of its attributes in the new
-# system. The postinstall program will run in the "postinstall" domain.
+# Allow update_engine to read and execute postinstall_file.
 allow update_engine postinstall_file:file rx_file_perms;
 allow update_engine postinstall_file:lnk_file r_file_perms;
 allow update_engine postinstall_file:dir r_dir_perms;
 
+# The postinstall program is run by update_engine and will always be tagged as a
+# postinstall_file regardless of its attributes in the new system.
+domain_auto_trans(update_engine, postinstall_file, postinstall)
+
+# A postinstall program is typically a shell script (with a #!), so we allow
+# to execute those.
+allow update_engine shell_exec:file rx_file_perms;
+
 # Register the service to perform Binder IPC.
 binder_use(update_engine)
 allow update_engine update_engine_service:service_manager { add };
-- 
GitLab