Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / df2e5e979b9402443626d9d94a19ebce2e15eb38 / . / private / update_engine_common.te
blob: 5bba84a802abf420e05a001629b25717939f27c1 [file] [log] [blame]
Inseob Kim75806ef2024-03-27 17:18:41 +0900[diff] [blame]1# update_engine payload application permissions. These are shared between the
2# background daemon and the recovery tool to sideload an update.
3
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]4# type_transition must be private policy the domain_trans rules could stay
5# public, but conceptually should go with this
Alex Light16dfb432021-03-11 11:26:08 -0800[diff] [blame]6# The postinstall program is run by update_engine_common and must be tagged
7# with postinstall_exec in the new filesystem.
8# TODO Have build system attempt to verify this
9domain_auto_trans(update_engine_common, postinstall_exec, postinstall)
10
11# Vendor directories can have the transition as well during OTA. This is caused
12# by update_engine execing scripts in vendor to perform any update tasks needed
13# there.
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]14domain_auto_trans(update_engine_common, postinstall_file, postinstall)
Alex Light16dfb432021-03-11 11:26:08 -0800[diff] [blame]15
Inseob Kim75806ef2024-03-27 17:18:41 +0900[diff] [blame]16# Allow update_engine to reach block devices in /dev/block.
17allow update_engine_common block_device:dir search;
18
19# Allow read/write on system and boot partitions.
20allow update_engine_common boot_block_device:blk_file rw_file_perms;
21allow update_engine_common system_block_device:blk_file rw_file_perms;
22
23# Where ioctls are granted via standard allow rules to block devices,
24# automatically allow common ioctls that are generally needed by
25# update_engine.
26allowxperm update_engine_common dev_type:blk_file ioctl {
27 BLKDISCARD
28 BLKDISCARDZEROES
29 BLKROGET
30 BLKROSET
31 BLKSECDISCARD
32 BLKZEROOUT
33};
34
35# Allow to set recovery options in the BCB. Used to trigger factory reset when
36# the update to an older version (channel change) or incompatible version
37# requires it.
38allow update_engine_common misc_block_device:blk_file rw_file_perms;
39
40# read fstab
41allow update_engine_common rootfs:dir getattr;
42allow update_engine_common rootfs:file r_file_perms;
43
44# Allow update_engine_common to mount on the /postinstall directory and reset the
45# labels on the mounted filesystem to postinstall_file.
46allow update_engine_common postinstall_mnt_dir:dir { mounton getattr search };
47allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
Alex Light16dfb432021-03-11 11:26:08 -0800[diff] [blame]48allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom };
Inseob Kim75806ef2024-03-27 17:18:41 +0900[diff] [blame]49
50# Allow update_engine_common to read and execute postinstall_file.
51allow update_engine_common postinstall_file:file rx_file_perms;
52allow update_engine_common postinstall_file:lnk_file r_file_perms;
53allow update_engine_common postinstall_file:dir r_dir_perms;
54
55# install update.zip from cache
56r_dir_file(update_engine_common, cache_file)
57
58# A postinstall program is typically a shell script (with a #!), so we allow
59# to execute those.
60allow update_engine_common shell_exec:file rx_file_perms;
61
62# Allow update_engine_common to suspend, resume and kill the postinstall program.
63allow update_engine_common postinstall:process { signal sigstop sigkill };
64
65# access /proc/cmdline
66allow update_engine_common proc_cmdline:file r_file_perms;
67
68# Read files in /sys/firmware/devicetree/base/firmware/android/
69r_dir_file(update_engine_common, sysfs_dt_firmware_android)
70
71# Needed because libdm reads sysfs to validate when a dm path is ready.
72r_dir_file(update_engine_common, sysfs_dm)
73
74# Scan files in /sys/fs/ext4 and /sys/fs/f2fs for device-mapper diagnostics.
75allow update_engine_common sysfs:dir r_dir_perms;
76allow update_engine_common sysfs_fs_f2fs:dir r_dir_perms;
77
78# read / write on /dev/device-mapper to map / unmap devices
79allow update_engine_common dm_device:chr_file rw_file_perms;
80
81# apply / verify updates on devices mapped via device mapper
82allow update_engine_common dm_device:blk_file rw_file_perms;
83
84# read /dev/dm-user, so that we can inotify wait for control devices to be
85# asynchronously created by ueventd.
86allow update_engine dm_user_device:dir r_dir_perms;
87allow update_engine dm_user_device:chr_file r_file_perms;
88
89# read / write metadata on super device to resize partitions
90allow update_engine_common super_block_device_type:blk_file rw_file_perms;
91
92# ioctl on super device to get block device alignment and alignment offset
93allowxperm update_engine_common super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
94
95# get physical block device to map logical partitions on device mapper
96allow update_engine_common block_device:dir r_dir_perms;
97
98# Allow update_engine_common to write to statsd socket.
99unix_socket_send(update_engine_common, statsdw, statsd)
100
101# Allow to read Virtual A/B feature flags.
102get_prop(update_engine_common, virtual_ab_prop)
103
104# Allow to read GKI related flags.
105get_prop(update_engine_common, ab_update_gki_prop)
106get_prop(update_engine_common, build_bootimage_prop)
107
108# Allow to read/write/create OTA metadata files for snapshot status and COW file status.
109allow update_engine_common metadata_file:dir search;
110allow update_engine_common ota_metadata_file:dir rw_dir_perms;
111allow update_engine_common ota_metadata_file:file create_file_perms;