Grant update_verifier access to sysfs
update_verifier's access to sysfs was accidentally revoked in
0e3c40a15bee4c0938f884b6471cdb51918c01f3 but that was masked by the
fact that at the time clients of a HAL were granted access needed to
invoke the HAL in-process. The recent system/sepolicy
22157e7a86e6d64bf55cea923e92999d05241c5d stopped granting such access,
and thus unmasked the issue.
This commit grants update_verifier exactly the sysfs access rules
which the Boot Control HAL has. update_verifier is a client of this
HAL.
Test: Apply OTA update via update_engine:
1. make otatools dist
2. Ensure device has network connectivity
3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip
4. Confirm no denials to do with update_verifier
Bug: 37415192
Change-Id: I20b9314f0d9512067716dd18c3b78b5db61b6c2e
(cherry picked from commit 39448b61396decac801d4dff8973dc42597bdfdf)
diff --git a/sepolicy/update_verifier.te b/sepolicy/update_verifier.te
new file mode 100644
index 0000000..aeee653
--- /dev/null
+++ b/sepolicy/update_verifier.te
@@ -0,0 +1,4 @@
+# Read the sysfs to lookup what /dev/sgN device
+# corresponds to the XBL partitions.
+allow update_verifier sysfs:file r_file_perms;
+allow update_verifier sysfs:dir r_dir_perms;
