Update the sepolicy of OTA Coordinator

Add a rule for a new property: persist.vendor.ota_coordinator.fake_update Tracked-On: OAM-128450 Signed-off-by: Jade Guo <[email protected]>
projectceladon · Dec 22, 2024 · 3b7a143 · 3b7a143
1 parent 74c5ccf
commit 3b7a143
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/ota_coordinator/ota_coordinator.te b/ota_coordinator/ota_coordinator.te
@@ -15,9 +15,14 @@ allow ota_coordinator init:unix_stream_socket connectto;
 allow ota_coordinator misc_block_device:blk_file rw_file_perms;
 allow ota_coordinator property_socket:sock_file write;
 allow ota_coordinator tmpfs:file r_file_perms;
+allow ota_coordinator vendor_data_file:file { read open };
 typeattribute ota_coordinator socket_between_core_and_vendor_violators;
 
 set_prop(ota_coordinator, powerctl_prop)
 set_prop(ota_coordinator, vendor_intel_ota_prop)
 set_prop(vendor_init, vendor_intel_ota_prop)
 
+recovery_only(
+  allow recovery vendor_data_file:dir r_dir_perms;
+  allow recovery vendor_data_file:file r_file_perms;
+)
diff --git a/ota_coordinator/property_contexts b/ota_coordinator/property_contexts
@@ -1,3 +1,4 @@
 persist.vendor.ota_coordinator.last_slot_suffix u:object_r:vendor_intel_ota_prop:s0
+persist.vendor.ota_coordinator.fake_update      u:object_r:vendor_intel_ota_prop:s0
 vendor.ota_coordinator.factory_reset            u:object_r:vendor_intel_ota_prop:s0