Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 75806ef3c529c019ab002072cca7951b91f245aa^! / . / private / postinstall.te
commit75806ef3c529c019ab002072cca7951b91f245aa[log] [tgz]
authorInseob Kim <inseob@google.com>Wed Mar 27 17:18:41 2024 +0900
committerInseob Kim <inseob@google.com>Thu Mar 28 00:33:46 2024 +0000
treecbd0c46779774cd09f127c0e20144c39dff08dca
parente98c6d2b38114e0819a558ef5e0d2793a30eebff [diff] [blame]
Minimize public policy

Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.

Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
           <(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
      to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12

diff --git a/private/postinstall.te b/private/postinstall.te
index 92ddbbf..5a2804b 100644
--- a/private/postinstall.te
+++ b/private/postinstall.te

@@ -6,3 +6,48 @@
 
 # Allow invoking `pm` shell commands.
 allow postinstall package_service:service_manager find;
+
+# Allow postinstall to write to its stdout/stderr when redirected via pipes to
+# update_engine.
+allow postinstall update_engine_common:fd use;
+allow postinstall update_engine_common:fifo_file rw_file_perms;
+
+# Allow postinstall to read and execute directories and files in the same
+# mounted location.
+allow postinstall postinstall_file:file rx_file_perms;
+allow postinstall postinstall_file:lnk_file r_file_perms;
+allow postinstall postinstall_file:dir r_dir_perms;
+
+# Allow postinstall to execute the shell or other system executables.
+allow postinstall shell_exec:file rx_file_perms;
+allow postinstall system_file:file rx_file_perms;
+allow postinstall toolbox_exec:file rx_file_perms;
+
+# Allow postinstall to execute shell in recovery.
+recovery_only(`
+  allow postinstall rootfs:file rx_file_perms;
+')
+
+#
+# For OTA dexopt.
+#
+
+# Allow postinstall scripts to talk to the system server.
+binder_use(postinstall)
+binder_call(postinstall, system_server)
+
+# Need to talk to the otadexopt service.
+allow postinstall otadexopt_service:service_manager find;
+
+# Allow postinstall scripts to trigger f2fs garbage collection
+allow postinstall sysfs_fs_f2fs:file rw_file_perms;
+allow postinstall sysfs_fs_f2fs:dir r_dir_perms;
+
+###
+### Neverallow rules
+###
+
+# No domain other than update_engine and recovery (via update_engine_sideload)
+# should transition to postinstall, as it is only meant to run during the
+# update.
+neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition };