From 47ee18d67aa1007610c19b4bede1cebd0d51ffff Mon Sep 17 00:00:00 2001
From: Yifan Hong <elsk@google.com>
Date: Tue, 4 Feb 2020 16:37:52 -0800
Subject: [PATCH] Allow update_engine to write snapshotctl log data

recovery is excluded because it is not an interesting code
path.

Test: apply OTA, cancel, delete OTA states, then apply again
      to trigger CancelUpdate() code path, see logs

Bug: 148818798
Change-Id: I3baac977af54ac0a09c9b732fd172469c9f51627
---
 public/update_engine.te | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/public/update_engine.te b/public/update_engine.te
index a6be3d361..078e494d9 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -75,3 +75,10 @@ set_prop(update_engine, ota_prop)
 # gsi_metadata_file. We never apply OTAs when GSI is running, so just deny
 # the access.
 dontaudit update_engine gsi_metadata_file:dir search;
+
+# Allow to write to snapshotctl_log logs.
+# TODO(b/148818798) revert when parent bug is fixed.
+userdebug_or_eng(`
+allow update_engine snapshotctl_log_data_file:dir rw_dir_perms;
+allow update_engine snapshotctl_log_data_file:file create_file_perms;
+')