Skip to content
Snippets Groups Projects
Normal view Permalink
update_engine.te 1.77 KiB
Newer Older
  • Learn to ignore specific revisions
    • David Zeuthen's avatar
    Move update_engine policy to AOSP.
    David Zeuthen committed
    1 
    # Domain for update_engine daemon.
    Jeff Vander Stoep's avatar
    Move domain_deprecated into private policy  
    Jeff Vander Stoep committed
    2 
    type update_engine, domain, update_engine_common;
    David Zeuthen's avatar
    Move update_engine policy to AOSP.
    David Zeuthen committed
    3 4 5 6 
    type update_engine_exec, exec_type, file_type;

net_domain(update_engine);
    Alex Deymo's avatar
    update_engine: Allow to tag sockets.  
    Alex Deymo committed
    7 8 9 10 11 
    # Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid to tag network
# sockets.
allow update_engine qtaguid_proc:file rw_file_perms;
allow update_engine qtaguid_device:chr_file r_file_perms;
    David Zeuthen's avatar
    Move update_engine policy to AOSP.
    David Zeuthen committed
    12 13 14 15 
    # Following permissions are needed for update_engine.
allow update_engine self:process { setsched };
allow update_engine self:capability { fowner sys_admin };
allow update_engine kmsg_device:chr_file w_file_perms;
    Sen Jiang's avatar
    Add bspatch to update_engine_exec.  
    Sen Jiang committed
    16 
    allow update_engine update_engine_exec:file rx_file_perms;
    David Zeuthen's avatar
    Move update_engine policy to AOSP.
    David Zeuthen committed
    17 18 
    wakelock_use(update_engine);
    Alex Deymo's avatar
    New postinstall domain and rules to run post-install program.  
    Alex Deymo committed
    19 20 21 
    # Ignore these denials.
dontaudit update_engine kernel:process setsched;
    David Zeuthen's avatar
    Move update_engine policy to AOSP.
    David Zeuthen committed
    22 23 24 25 26 27 
    # Allow using persistent storage in /data/misc/update_engine.
allow update_engine update_engine_data_file:dir { create_dir_perms };
allow update_engine update_engine_data_file:file { create_file_perms };

# Don't allow kernel module loading, just silence the logs.
dontaudit update_engine kernel:system module_request;
    Tao Bao's avatar
    Allow update_engine to use Binder IPC.  
    Tao Bao committed
    28 29 30 
    
# Register the service to perform Binder IPC.
binder_use(update_engine)
    William Roberts's avatar
    te_macros: introduce add_service() macro  
    William Roberts committed
    31 
    add_service(update_engine, update_engine_service)
    Tao Bao's avatar
    Allow update_engine to use Binder IPC.  
    Tao Bao committed
    32 33 34 
    
# Allow update_engine to call the callback function provided by priv_app.
binder_call(update_engine, priv_app)
    Tao Bao's avatar
    Add ota_package_file label for OTA packages.  
    Tao Bao committed
    35 36 37 38 
    
# Read OTA zip file at /data/ota_package/.
allow update_engine ota_package_file:file r_file_perms;
allow update_engine ota_package_file:dir r_dir_perms;
    Connor O'Brien's avatar
    Add permissions for hal_boot  
    Connor O'Brien committed
    39
    Alex Klyubin's avatar
    Switch Boot Control HAL policy to _client/_server  
    Alex Klyubin committed
    40 41 
    # Use Boot Control HAL
hal_client_domain(update_engine, hal_bootctl)
    Tri Vo's avatar
    Move update_engine rules out of update_engine_common.te  
    Tri Vo committed
    42 43 44 45 46 47 48 49 50 51 
    
# access /proc/misc and /proc/sys/kernel/random/boot_id
allow update_engine proc:file r_file_perms;
allow update_engine proc_misc:file r_file_perms;

# read directories on /system and /vendor
allow update_engine system_file:dir r_dir_perms;

# Read files in /sys
r_dir_file(update_engine, sysfs)