Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 77a8ac9ab4a980d6c4759dc784ab8ea51a0e29da / . / private / update_engine.te
blob: 6a60718222a15a857b57216931718e2f508a07d0 [file] [log] [blame]
Alex Klyubinf5446eb2017-03-23 14:27:32 -0700[diff] [blame]1typeattribute update_engine coredomain;
2
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]3init_daemon_domain(update_engine);
Yifan Hong07a99e12019-08-07 13:01:15 -0700[diff] [blame]4
5# Allow to talk to gsid.
6allow update_engine gsi_service:service_manager find;
7binder_call(update_engine, gsid)
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]8
9# Allow to start gsid service.
10set_prop(update_engine, ctl_gsid_prop)
11
David Anderson09bb9442020-11-13 00:45:59 -0800[diff] [blame]12# Allow to start snapuserd for dm-user communication.
13set_prop(update_engine, ctl_snapuserd_prop)
14
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]15# Allow to set the OTA related properties, e.g. ota.warm_reset.
16set_prop(update_engine, ota_prop)
Kelvin Zhang60456bd2023-05-18 09:50:05 -0700[diff] [blame]17get_prop(update_engine, ota_build_prop)
Howard Chen2a2278e2020-04-30 17:45:45 +0800[diff] [blame]18
19# Allow to get the DSU status
20get_prop(update_engine, gsid_prop)
Yifan Hong8ac37f02020-06-01 15:07:50 -0700[diff] [blame]21
22# Allow update_engine to call the callback function provided by GKI update hook.
23binder_call(update_engine, gki_apex_prepostinstall)
David Anderson09bb9442020-11-13 00:45:59 -0800[diff] [blame]24
Pawan Waghc35c8af2023-09-20 00:05:07 +0000[diff] [blame]25# Allow update_engine to call the callback function by settings app
26# for the kernel update triggered using 16k developer option
27binder_call(update_engine, system_app)
28
David Anderson09bb9442020-11-13 00:45:59 -0800[diff] [blame]29# Allow to communicate with the snapuserd service, for dm-user snapshots.
30allow update_engine snapuserd:unix_stream_socket connectto;
31allow update_engine snapuserd_socket:sock_file write;
David Anderson9e21df22021-07-27 18:51:18 -0700[diff] [blame]32get_prop(update_engine, snapuserd_prop)
Mohammad Samiul Islam606a3dc2021-02-18 19:55:31 +0000[diff] [blame]33
34# Allow to communicate with apexd for calculating and reserving space for
35# capex decompression
36allow update_engine apex_service:service_manager find;
37binder_call(update_engine, apexd)
Kelvin Zhang187cb2c2022-03-30 20:05:23 -0700[diff] [blame]38
39# let this domain use the hal service
40binder_use(update_engine)
41hal_client_domain(update_engine, hal_bootctl)
Inseob Kim75806ef2024-03-27 17:18:41 +0900[diff] [blame]42
43net_domain(update_engine);
44
45# Following permissions are needed for update_engine.
46allow update_engine self:process { setsched };
47allow update_engine self:global_capability_class_set { fowner sys_admin };
48# Note: fsetid checks are triggered when creating a file in a directory with
49# the setgid bit set to determine if the file should inherit setgid. In this
50# case, setgid on the file is undesirable so we should just suppress the
51# denial.
52dontaudit update_engine self:global_capability_class_set fsetid;
53
54allow update_engine kmsg_device:chr_file { getattr w_file_perms };
55allow update_engine update_engine_exec:file rx_file_perms;
56wakelock_use(update_engine);
57
58# Ignore these denials.
59dontaudit update_engine kernel:process setsched;
60dontaudit update_engine self:global_capability_class_set sys_rawio;
61
62# Allow using persistent storage in /data/misc/update_engine.
63allow update_engine update_engine_data_file:dir create_dir_perms;
64allow update_engine update_engine_data_file:file create_file_perms;
65
66# Allow using persistent storage in /data/misc/update_engine_log.
67allow update_engine update_engine_log_data_file:dir create_dir_perms;
68allow update_engine update_engine_log_data_file:file create_file_perms;
69
70# Register the service to perform Binder IPC.
71binder_use(update_engine)
72add_service(update_engine, update_engine_service)
73add_service(update_engine, update_engine_stable_service)
74
75# Allow update_engine to call the callback function provided by priv_app/GMS core.
76binder_call(update_engine, priv_app)
77# b/142672293: No other priv-app should need this rule now that GMS core runs in its own domain.
78userdebug_or_eng(`
79 auditallow update_engine priv_app:binder { call transfer };
80 auditallow priv_app update_engine:binder transfer;
81 auditallow update_engine priv_app:fd use;
82')
83
84binder_call(update_engine, gmscore_app)
85
86# Allow update_engine to call the callback function provided by system_server.
87binder_call(update_engine, system_server)
88
89# Read OTA zip file at /data/ota_package/.
90allow update_engine ota_package_file:file r_file_perms;
91allow update_engine ota_package_file:dir r_dir_perms;
92
93# Use Boot Control HAL
94hal_client_domain(update_engine, hal_bootctl)
95
96# access /proc/misc
97allow update_engine proc_misc:file r_file_perms;
98
99# read directories on /system and /vendor
100allow update_engine system_file:dir r_dir_perms;
101
102# Allow ReadDefaultFstab().
103# update_engine tries to determine the parent path for all devices (e.g.
104# /dev/block/by-name) by reading the default fstab and looking for the misc
105# device.
106read_fstab(update_engine)
107
108# Allow to write to snapshotctl_log logs.
109# TODO(b/148818798) revert when parent bug is fixed.
110userdebug_or_eng(`
111allow update_engine snapshotctl_log_data_file:dir rw_dir_perms;
112allow update_engine snapshotctl_log_data_file:file create_file_perms;
113')
114
115# Allow determining filesystems available on system.
116# Needed for checking if overlayfs is enabled
117allow update_engine proc_filesystems:file r_file_perms;