public/update_engine.te - platform/system/sepolicy - Git at Google

 # Domain for update_engine daemon.
 type update_engine, domain, update_engine_common;
 type update_engine_exec, exec_type, file_type;
 type update_engine_data_file, file_type, data_file_type;

 net_domain(update_engine);

 # Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid to tag network
 # sockets.
 allow update_engine qtaguid_proc:file rw_file_perms;
 allow update_engine qtaguid_device:chr_file r_file_perms;

 # Following permissions are needed for update_engine.
 allow update_engine self:process { setsched };
 allow update_engine self:capability { fowner sys_admin };
 allow update_engine kmsg_device:chr_file w_file_perms;
 allow update_engine update_engine_exec:file rx_file_perms;
 wakelock_use(update_engine);

 # Ignore these denials.
 dontaudit update_engine kernel:process setsched;

 # Allow using persistent storage in /data/misc/update_engine.
 allow update_engine update_engine_data_file:dir { create_dir_perms };
 allow update_engine update_engine_data_file:file { create_file_perms };

 # Don't allow kernel module loading, just silence the logs.
 dontaudit update_engine kernel:system module_request;

 # Register the service to perform Binder IPC.
 binder_use(update_engine)
 add_service(update_engine, update_engine_service)

 # Allow update_engine to call the callback function provided by priv_app.
 binder_call(update_engine, priv_app)

 # Read OTA zip file at /data/ota_package/.
 allow update_engine ota_package_file:file r_file_perms;
 allow update_engine ota_package_file:dir r_dir_perms;

 # Use Boot Control HAL
 hal_client_domain(update_engine, hal_bootctl)
	# Domain for update_engine daemon.
	type update_engine, domain, update_engine_common;
	type update_engine_exec, exec_type, file_type;
	type update_engine_data_file, file_type, data_file_type;

	net_domain(update_engine);

	# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid to tag network
	# sockets.
	allow update_engine qtaguid_proc:file rw_file_perms;
	allow update_engine qtaguid_device:chr_file r_file_perms;

	# Following permissions are needed for update_engine.
	allow update_engine self:process { setsched };
	allow update_engine self:capability { fowner sys_admin };
	allow update_engine kmsg_device:chr_file w_file_perms;
	allow update_engine update_engine_exec:file rx_file_perms;
	wakelock_use(update_engine);

	# Ignore these denials.
	dontaudit update_engine kernel:process setsched;

	# Allow using persistent storage in /data/misc/update_engine.
	allow update_engine update_engine_data_file:dir { create_dir_perms };
	allow update_engine update_engine_data_file:file { create_file_perms };

	# Don't allow kernel module loading, just silence the logs.
	dontaudit update_engine kernel:system module_request;

	# Register the service to perform Binder IPC.
	binder_use(update_engine)
	add_service(update_engine, update_engine_service)

	# Allow update_engine to call the callback function provided by priv_app.
	binder_call(update_engine, priv_app)

	# Read OTA zip file at /data/ota_package/.
	allow update_engine ota_package_file:file r_file_perms;
	allow update_engine ota_package_file:dir r_dir_perms;

	# Use Boot Control HAL
	hal_client_domain(update_engine, hal_bootctl)