blob: 5c261efe96ae53a152dd74f25cb9f360d9db511b [file] [log] [blame]
# Domain where the postinstall program runs during the update.
# Extend the permissions in this domain to allow this program to access other
# files needed by the specific device on your device's sepolicy directory.
type postinstall, domain;
# Allow postinstall to write to its stdout/stderr when redirected via pipes to
# update_engine.
allow postinstall update_engine:fd use;
allow postinstall update_engine:fifo_file rw_file_perms;
# Allow postinstall to read and execute directories and files in the same
# mounted location.
allow postinstall postinstall_file:file rx_file_perms;
allow postinstall postinstall_file:lnk_file r_file_perms;
allow postinstall postinstall_file:dir r_dir_perms;
# Allow postinstall to execute the shell or other system executables.
allow postinstall shell_exec:file rx_file_perms;
allow postinstall system_file:file rx_file_perms;
allow postinstall toolbox_exec:file rx_file_perms;
# No domain other than update_engine should transition to postinstall, as it is
# only meant to run during the update.
neverallow { domain -update_engine } postinstall:process { transition dyntransition };
# For OTA dexopt.
# Allow postinstall scripts to talk to the system server.
binder_call(postinstall, system_server)
# Need to talk to the otadexopt service.
allow postinstall otadexopt_service:service_manager find;