From b69f0cbf9c3f3049aa93f00a45d40b9e24843b26 Mon Sep 17 00:00:00 2001 From: "haohsiang.hsu" Date: Sat, 18 Jan 2020 10:04:29 +0800 Subject: [PATCH] [ALPS03783870] Add policy for update boot partition [Detail] Add poilcy for update_engine and vbmeta so that A/B system update can work well. MTK-Commit-Id: de7ad7a48111b4e02f042600c6e65484d03ac87f Change-Id: I79346615ad1be4c5ea33343c1fce73c22be1f82f CR-Id: ALPS03783870 Feature: Secure Boot --- non_plat/device.te | 1 + non_plat/file_contexts | 1 + non_plat/update_engine.te | 4 ++++ 3 files changed, 6 insertions(+) diff --git a/non_plat/device.te b/non_plat/device.te index 16af38d..a1d3e79 100644 --- a/non_plat/device.te +++ b/non_plat/device.te @@ -221,6 +221,7 @@ type audio_ipi_device, dev_type; type cam_vpu_block_device,dev_type; type boot_para_block_device,dev_type; type mtk_dfrc_device, dev_type; +type vbmeta_block_device, dev_type; ########################## # Sensor common Devices Start diff --git a/non_plat/file_contexts b/non_plat/file_contexts index dcd393c..d9fcd94 100644 --- a/non_plat/file_contexts +++ b/non_plat/file_contexts @@ -462,6 +462,7 @@ /dev/block/platform/bootdevice/by-name/spmfw(_[ab])? u:object_r:spmfw_block_device:s0 /dev/block/platform/bootdevice/by-name/mcupmfw(_[ab])? u:object_r:mcupmfw_block_device:s0 /dev/block/platform/bootdevice/by-name/loader_ext(_[ab])? u:object_r:loader_ext_block_device:s0 +/dev/block/platform/bootdevice/by-name/vbmeta(_[ab])? u:object_r:vbmeta_block_device:s0 ############################# diff --git a/non_plat/update_engine.te b/non_plat/update_engine.te index 31fb7e5..cd319fc 100644 --- a/non_plat/update_engine.te +++ b/non_plat/update_engine.te @@ -16,6 +16,7 @@ allow update_engine mcupmfw_block_device:blk_file rw_file_perms; allow update_engine loader_ext_block_device:blk_file rw_file_perms; allow update_engine cam_vpu_block_device:blk_file rw_file_perms; allow update_engine para_block_device:blk_file rw_file_perms; +allow update_engine vbmeta_block_device:blk_file rw_file_perms; # Add for update_engine call by system_app @@ -23,3 +24,6 @@ allow update_engine system_app:binder { call transfer }; # Add for update_engine with postinstall allow update_engine postinstall_mnt_dir:dir { search getattr open read write search unlink}; + +# Add for AVB20 +allow update_engine tmpfs:lnk_file read;