Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / ff43be2ca9dcc80711fc14e0bfb847951f677243^! / . / microdroid / sepolicy / system / public / postinstall.te
commitff43be2ca9dcc80711fc14e0bfb847951f677243[log] [tgz]
authorInseob Kim <inseob@google.com>Mon Jun 07 16:56:56 2021 +0900
committerInseob Kim <inseob@google.com>Mon Jun 07 18:44:35 2021 +0900
treebf5e839c17d58df2298c811dbf18624f24b48133
parentb50e0fabe77f1f16a9d1fd79cd351bef3834c77c [diff] [blame]
Add microdroid specific sepolicy

Microdroid will have a separate sepolicy, apart from the core policy.
This is the first step; For now it's a simple copy of system/sepolicy.
For the future work, it will be stripped.

Bug: 189165759
Test: boot microdroid and see selinux enforced
Change-Id: I2fee39f7231560b49c93bd5e8d0feeffada40938

diff --git a/microdroid/sepolicy/system/public/postinstall.te b/microdroid/sepolicy/system/public/postinstall.te
new file mode 100644
index 0000000..bcea2dc
--- /dev/null
+++ b/microdroid/sepolicy/system/public/postinstall.te

@@ -0,0 +1,45 @@
+# Domain where the postinstall program runs during the update.
+# Extend the permissions in this domain to allow this program to access other
+# files needed by the specific device on your device's sepolicy directory.
+type postinstall, domain;
+
+# Allow postinstall to write to its stdout/stderr when redirected via pipes to
+# update_engine.
+allow postinstall update_engine_common:fd use;
+allow postinstall update_engine_common:fifo_file rw_file_perms;
+
+# Allow postinstall to read and execute directories and files in the same
+# mounted location.
+allow postinstall postinstall_file:file rx_file_perms;
+allow postinstall postinstall_file:lnk_file r_file_perms;
+allow postinstall postinstall_file:dir r_dir_perms;
+
+# Allow postinstall to execute the shell or other system executables.
+allow postinstall shell_exec:file rx_file_perms;
+allow postinstall system_file:file rx_file_perms;
+allow postinstall toolbox_exec:file rx_file_perms;
+
+# Allow postinstall to execute shell in recovery.
+recovery_only(`
+  allow postinstall rootfs:file rx_file_perms;
+')
+
+#
+# For OTA dexopt.
+#
+
+# Allow postinstall scripts to talk to the system server.
+binder_use(postinstall)
+binder_call(postinstall, system_server)
+
+# Need to talk to the otadexopt service.
+allow postinstall otadexopt_service:service_manager find;
+
+# Allow postinstall scripts to trigger f2fs garbage collection
+allow postinstall sysfs_fs_f2fs:file rw_file_perms;
+allow postinstall sysfs_fs_f2fs:dir r_dir_perms;
+
+# No domain other than update_engine and recovery (via update_engine_sideload)
+# should transition to postinstall, as it is only meant to run during the
+# update.
+neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition };