Skip to content
Snippets Groups Projects
Normal view Permalink
postinstall.te 1.16 KiB
Newer Older
  • Learn to ignore specific revisions
    • Alex Deymo's avatar
    New postinstall domain and rules to run post-install program.
    Alex Deymo committed
    1 2 3 4 5 6 7 
    # Domain where the postinstall program runs during the update.
# Extend the permissions in this domain to allow this program to access other
# files needed by the specific device on your device's sepolicy directory.
type postinstall, domain;

# Allow postinstall to write to its stdout/stderr when redirected via pipes to
# update_engine.
    Alex Deymo's avatar
    Allow executing update_engine_sideload from recovery.  
    Alex Deymo committed
    8 9 
    allow postinstall update_engine_common:fd use;
allow postinstall update_engine_common:fifo_file rw_file_perms;
    Alex Deymo's avatar
    New postinstall domain and rules to run post-install program.
    Alex Deymo committed
    10 11 12 13 14 15 16 17 18 19 20 
    
# Allow postinstall to read and execute directories and files in the same
# mounted location.
allow postinstall postinstall_file:file rx_file_perms;
allow postinstall postinstall_file:lnk_file r_file_perms;
allow postinstall postinstall_file:dir r_dir_perms;

# Allow postinstall to execute the shell or other system executables.
allow postinstall shell_exec:file rx_file_perms;
allow postinstall system_file:file rx_file_perms;
allow postinstall toolbox_exec:file rx_file_perms;
    Alex Deymo's avatar
    Allow postinstall_file to be an entrypoint.  
    Alex Deymo committed
    21
    Alex Deymo's avatar
    Allow executing update_engine_sideload from recovery.  
    Alex Deymo committed
    22 23 24 25 
    # No domain other than update_engine and recovery (via update_engine_sideload)
# should transition to postinstall, as it is only meant to run during the
# update.
neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition };