diff options
Diffstat (limited to 'prebuilts/api/32.0/public/update_engine.te')
| -rw-r--r-- | prebuilts/api/32.0/public/update_engine.te | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/prebuilts/api/32.0/public/update_engine.te b/prebuilts/api/32.0/public/update_engine.te new file mode 100644 index 000000000..ab7090bbc --- /dev/null +++ b/prebuilts/api/32.0/public/update_engine.te @@ -0,0 +1,78 @@ +# Domain for update_engine daemon. +type update_engine, domain, update_engine_common; +type update_engine_exec, system_file_type, exec_type, file_type; + +net_domain(update_engine); + +# Following permissions are needed for update_engine. +allow update_engine self:process { setsched }; +allow update_engine self:global_capability_class_set { fowner sys_admin }; +# Note: fsetid checks are triggered when creating a file in a directory with +# the setgid bit set to determine if the file should inherit setgid. In this +# case, setgid on the file is undesirable so we should just suppress the +# denial. +dontaudit update_engine self:global_capability_class_set fsetid; + +allow update_engine kmsg_device:chr_file { getattr w_file_perms }; +allow update_engine update_engine_exec:file rx_file_perms; +wakelock_use(update_engine); + +# Ignore these denials. +dontaudit update_engine kernel:process setsched; +dontaudit update_engine self:global_capability_class_set sys_rawio; + +# Allow using persistent storage in /data/misc/update_engine. +allow update_engine update_engine_data_file:dir create_dir_perms; +allow update_engine update_engine_data_file:file create_file_perms; + +# Allow using persistent storage in /data/misc/update_engine_log. +allow update_engine update_engine_log_data_file:dir create_dir_perms; +allow update_engine update_engine_log_data_file:file create_file_perms; + +# Don't allow kernel module loading, just silence the logs. +dontaudit update_engine kernel:system module_request; + +# Register the service to perform Binder IPC. +binder_use(update_engine) +add_service(update_engine, update_engine_service) +add_service(update_engine, update_engine_stable_service) + +# Allow update_engine to call the callback function provided by priv_app/GMS core. +binder_call(update_engine, priv_app) +# b/142672293: No other priv-app should need this rule now that GMS core runs in its own domain. +userdebug_or_eng(` + auditallow update_engine priv_app:binder { call transfer }; + auditallow priv_app update_engine:binder transfer; + auditallow update_engine priv_app:fd use; +') + +binder_call(update_engine, gmscore_app) + +# Allow update_engine to call the callback function provided by system_server. +binder_call(update_engine, system_server) + +# Read OTA zip file at /data/ota_package/. +allow update_engine ota_package_file:file r_file_perms; +allow update_engine ota_package_file:dir r_dir_perms; + +# Use Boot Control HAL +hal_client_domain(update_engine, hal_bootctl) + +# access /proc/misc +allow update_engine proc_misc:file r_file_perms; + +# read directories on /system and /vendor +allow update_engine system_file:dir r_dir_perms; + +# Allow ReadDefaultFstab(). +# update_engine tries to determine the parent path for all devices (e.g. +# /dev/block/by-name) by reading the default fstab and looking for the misc +# device. +read_fstab(update_engine) + +# Allow to write to snapshotctl_log logs. +# TODO(b/148818798) revert when parent bug is fixed. +userdebug_or_eng(` +allow update_engine snapshotctl_log_data_file:dir rw_dir_perms; +allow update_engine snapshotctl_log_data_file:file create_file_perms; +') |