public/update_engine_common.te - platform/system/sepolicy - Git at Google

 # update_engine payload application permissions. These are shared between the
 # background daemon and the recovery tool to sideload an update.

 # Allow update_engine to reach block devices in /dev/block.
 allow update_engine_common block_device:dir search;

 # Allow read/write on system and boot partitions.
 allow update_engine_common boot_block_device:blk_file rw_file_perms;
 allow update_engine_common system_block_device:blk_file rw_file_perms;

 # Allow to set recovery options in the BCB. Used to trigger factory reset when
 # the update to an older version (channel change) or incompatible version
 # requires it.
 allow update_engine_common misc_block_device:blk_file rw_file_perms;

 # read fstab
 allow update_engine_common rootfs:dir getattr;
 allow update_engine_common rootfs:file r_file_perms;

 # Allow update_engine_common to mount on the /postinstall directory and reset the
 # labels on the mounted filesystem to postinstall_file.
 allow update_engine_common postinstall_mnt_dir:dir mounton;
 allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
 allow update_engine_common labeledfs:filesystem relabelfrom;

 # Allow update_engine_common to read and execute postinstall_file.
 allow update_engine_common postinstall_file:file rx_file_perms;
 allow update_engine_common postinstall_file:lnk_file r_file_perms;
 allow update_engine_common postinstall_file:dir r_dir_perms;

 # install update.zip from cache
 r_dir_file(update_engine_common, cache_file)

 # A postinstall program is typically a shell script (with a #!), so we allow
 # to execute those.
 allow update_engine_common shell_exec:file rx_file_perms;

 # Allow update_engine_common to suspend, resume and kill the postinstall program.
 allow update_engine_common postinstall:process { signal sigstop sigkill };

 # access /proc/misc
 # Access is also granted to proc:file, but it is likely unneeded
 # due to the more specific grant to proc_misc immediately below.
 allow update_engine proc:file r_file_perms; # delete candidate
 allow update_engine proc_misc:file r_file_perms;

 # read directories on /system and /vendor
 allow update_engine system_file:dir r_dir_perms;
	# update_engine payload application permissions. These are shared between the
	# background daemon and the recovery tool to sideload an update.

	# Allow update_engine to reach block devices in /dev/block.
	allow update_engine_common block_device:dir search;

	# Allow read/write on system and boot partitions.
	allow update_engine_common boot_block_device:blk_file rw_file_perms;
	allow update_engine_common system_block_device:blk_file rw_file_perms;

	# Allow to set recovery options in the BCB. Used to trigger factory reset when
	# the update to an older version (channel change) or incompatible version
	# requires it.
	allow update_engine_common misc_block_device:blk_file rw_file_perms;

	# read fstab
	allow update_engine_common rootfs:dir getattr;
	allow update_engine_common rootfs:file r_file_perms;

	# Allow update_engine_common to mount on the /postinstall directory and reset the
	# labels on the mounted filesystem to postinstall_file.
	allow update_engine_common postinstall_mnt_dir:dir mounton;
	allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
	allow update_engine_common labeledfs:filesystem relabelfrom;

	# Allow update_engine_common to read and execute postinstall_file.
	allow update_engine_common postinstall_file:file rx_file_perms;
	allow update_engine_common postinstall_file:lnk_file r_file_perms;
	allow update_engine_common postinstall_file:dir r_dir_perms;

	# install update.zip from cache
	r_dir_file(update_engine_common, cache_file)

	# A postinstall program is typically a shell script (with a #!), so we allow
	# to execute those.
	allow update_engine_common shell_exec:file rx_file_perms;

	# Allow update_engine_common to suspend, resume and kill the postinstall program.
	allow update_engine_common postinstall:process { signal sigstop sigkill };

	# access /proc/misc
	# Access is also granted to proc:file, but it is likely unneeded
	# due to the more specific grant to proc_misc immediately below.
	allow update_engine proc:file r_file_perms; # delete candidate
	allow update_engine proc_misc:file r_file_perms;

	# read directories on /system and /vendor
	allow update_engine system_file:dir r_dir_perms;