From 9f7947348f34e423141291dd276752186f419566 Mon Sep 17 00:00:00 2001
From: Tianjie Xu <xunchang@google.com>
Date: Tue, 18 Feb 2020 23:38:09 -0800
Subject: [PATCH] Allow kernel to write to update_engine_data_file

This is needed to run update_engine unittests in cuttlefish. In the test,
the directory is mounted as R/W.

Denial:
avc: denied { write } for path="/data/misc/update_engine/tmp/a_img.NqUpaa" dev="dm-4" ino=3048 scontext=u:r:kernel:s0 tcontext=u:object_r:update_engine_data_file:s0 tclass=file permissive=0

strace:
mount("/dev/block/loop26", "/data/local/tmp/.org.chromium.Chromium.3s2KYE", "ext2", 0, "") = -1 EIO (I/O error)

Test: unittests pass
Change-Id: I4658eb60240bd725bac2aef30305747ffe50aeb6
---
 public/kernel.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/public/kernel.te b/public/kernel.te
index 42fe2c476..35018e91e 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -65,10 +65,10 @@ allow kernel vold:fd use;
 allow kernel { app_data_file privapp_data_file }:file read;
 allow kernel asec_image_file:file read;
 
-# Allow reading loop device in update_engine_unittests. (b/28319454)
+# Allow mounting loop device in update_engine_unittests. (b/28319454)
 # and for LTP kernel tests (b/73220071)
 userdebug_or_eng(`
-  allow kernel update_engine_data_file:file read;
+  allow kernel update_engine_data_file:file { read write };
   allow kernel nativetest_data_file:file { read write };
 ')