blob: cf614e6a0883399a1c60b8155a6351d6267b9067 [file] [log] [blame]
# Domain for update_engine daemon.
type update_engine, domain, domain_deprecated;
type update_engine_exec, exec_type, file_type;
type update_engine_data_file, file_type, data_file_type;
# Following permissions are needed for update_engine.
allow update_engine self:process { setsched };
allow update_engine self:capability { fowner sys_admin };
allow update_engine kmsg_device:chr_file w_file_perms;
allow update_engine update_engine_exec:file rx_file_perms;
# Ignore these denials.
dontaudit update_engine kernel:process setsched;
# Allow using persistent storage in /data/misc/update_engine.
allow update_engine update_engine_data_file:dir { create_dir_perms };
allow update_engine update_engine_data_file:file { create_file_perms };
# Allow update_engine to reach block devices in /dev/block.
allow update_engine block_device:dir search;
# Allow read/write on system and boot partitions.
allow update_engine boot_block_device:blk_file rw_file_perms;
allow update_engine system_block_device:blk_file rw_file_perms;
# Don't allow kernel module loading, just silence the logs.
dontaudit update_engine kernel:system module_request;
# Allow update_engine to mount on the /postinstall directory and reset the
# labels on the mounted filesystem to postinstall_file.
allow update_engine postinstall_mnt_dir:dir mounton;
allow update_engine postinstall_file:filesystem { mount unmount relabelfrom relabelto };
allow update_engine labeledfs:filesystem relabelfrom;
# Allow update_engine to read and execute postinstall_file.
allow update_engine postinstall_file:file rx_file_perms;
allow update_engine postinstall_file:lnk_file r_file_perms;
allow update_engine postinstall_file:dir r_dir_perms;
# The postinstall program is run by update_engine and will always be tagged as a
# postinstall_file regardless of its attributes in the new system.
domain_auto_trans(update_engine, postinstall_file, postinstall)
# A postinstall program is typically a shell script (with a #!), so we allow
# to execute those.
allow update_engine shell_exec:file rx_file_perms;
# Register the service to perform Binder IPC.
allow update_engine update_engine_service:service_manager { add };
# Allow update_engine to call the callback function provided by priv_app.
binder_call(update_engine, priv_app)
# Allow read/write bootctrl block device.
allow update_engine bootctrl_block_device:blk_file rw_file_perms;