private/postinstall.te - platform/system/sepolicy - Git at Google

 typeattribute postinstall coredomain;
 type postinstall_exec, system_file_type, exec_type, file_type;
 domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)

 allow postinstall rootfs:dir r_dir_perms;

 # Allow invoking `pm` shell commands.
 allow postinstall package_service:service_manager find;

 # Allow postinstall to write to its stdout/stderr when redirected via pipes to
 # update_engine.
 allow postinstall update_engine_common:fd use;
 allow postinstall update_engine_common:fifo_file rw_file_perms;

 # Allow postinstall to read and execute directories and files in the same
 # mounted location.
 allow postinstall postinstall_file:file rx_file_perms;
 allow postinstall postinstall_file:lnk_file r_file_perms;
 allow postinstall postinstall_file:dir r_dir_perms;

 # Allow postinstall to execute the shell or other system executables.
 allow postinstall shell_exec:file rx_file_perms;
 allow postinstall system_file:file rx_file_perms;
 allow postinstall toolbox_exec:file rx_file_perms;

 # Allow postinstall to execute shell in recovery.
 recovery_only(`
   allow postinstall rootfs:file rx_file_perms;
 ')

 #
 # For OTA dexopt.
 #

 # Allow postinstall scripts to talk to the system server.
 binder_use(postinstall)
 binder_call(postinstall, system_server)

 # Need to talk to the otadexopt service.
 allow postinstall otadexopt_service:service_manager find;

 # Allow postinstall scripts to trigger f2fs garbage collection
 allow postinstall sysfs_fs_f2fs:file rw_file_perms;
 allow postinstall sysfs_fs_f2fs:dir r_dir_perms;

 ###
 ### Neverallow rules
 ###

 # No domain other than update_engine and recovery (via update_engine_sideload)
 # should transition to postinstall, as it is only meant to run during the
 # update.
 neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition };
	typeattribute postinstall coredomain;
	type postinstall_exec, system_file_type, exec_type, file_type;
	domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)

	allow postinstall rootfs:dir r_dir_perms;

	# Allow invoking `pm` shell commands.
	allow postinstall package_service:service_manager find;

	# Allow postinstall to write to its stdout/stderr when redirected via pipes to
	# update_engine.
	allow postinstall update_engine_common:fd use;
	allow postinstall update_engine_common:fifo_file rw_file_perms;

	# Allow postinstall to read and execute directories and files in the same
	# mounted location.
	allow postinstall postinstall_file:file rx_file_perms;
	allow postinstall postinstall_file:lnk_file r_file_perms;
	allow postinstall postinstall_file:dir r_dir_perms;

	# Allow postinstall to execute the shell or other system executables.
	allow postinstall shell_exec:file rx_file_perms;
	allow postinstall system_file:file rx_file_perms;
	allow postinstall toolbox_exec:file rx_file_perms;

	# Allow postinstall to execute shell in recovery.
	recovery_only(`
	allow postinstall rootfs:file rx_file_perms;
	')

	#
	# For OTA dexopt.
	#

	# Allow postinstall scripts to talk to the system server.
	binder_use(postinstall)
	binder_call(postinstall, system_server)

	# Need to talk to the otadexopt service.
	allow postinstall otadexopt_service:service_manager find;

	# Allow postinstall scripts to trigger f2fs garbage collection
	allow postinstall sysfs_fs_f2fs:file rw_file_perms;
	allow postinstall sysfs_fs_f2fs:dir r_dir_perms;

	###
	### Neverallow rules
	###

	# No domain other than update_engine and recovery (via update_engine_sideload)
	# should transition to postinstall, as it is only meant to run during the
	# update.
	neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition };