| Alex Klyubin | f5446eb | 2017-03-23 14:27:32 -0700 | [diff] [blame] | 1 | typeattribute postinstall coredomain; |
| Alex Light | 16dfb43 | 2021-03-11 11:26:08 -0800 | [diff] [blame] | 2 | type postinstall_exec, system_file_type, exec_type, file_type; |
| dcashman | cc39f63 | 2016-07-22 13:13:11 -0700 | [diff] [blame] | 3 | domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot) |
| Alex Light | 16dfb43 | 2021-03-11 11:26:08 -0800 | [diff] [blame] | 4 | |
| 5 | allow postinstall rootfs:dir r_dir_perms; |
| Jiakai Zhang | 625c4a9 | 2024-02-29 23:12:32 +0000 | [diff] [blame] | 6 | |
| 7 | # Allow invoking `pm` shell commands. |
| 8 | allow postinstall package_service:service_manager find; |
| Inseob Kim | 75806ef | 2024-03-27 17:18:41 +0900 | [diff] [blame] | 9 | |
| 10 | # Allow postinstall to write to its stdout/stderr when redirected via pipes to |
| 11 | # update_engine. |
| 12 | allow postinstall update_engine_common:fd use; |
| 13 | allow postinstall update_engine_common:fifo_file rw_file_perms; |
| 14 | |
| 15 | # Allow postinstall to read and execute directories and files in the same |
| 16 | # mounted location. |
| 17 | allow postinstall postinstall_file:file rx_file_perms; |
| 18 | allow postinstall postinstall_file:lnk_file r_file_perms; |
| 19 | allow postinstall postinstall_file:dir r_dir_perms; |
| 20 | |
| 21 | # Allow postinstall to execute the shell or other system executables. |
| 22 | allow postinstall shell_exec:file rx_file_perms; |
| 23 | allow postinstall system_file:file rx_file_perms; |
| 24 | allow postinstall toolbox_exec:file rx_file_perms; |
| 25 | |
| 26 | # Allow postinstall to execute shell in recovery. |
| 27 | recovery_only(` |
| 28 | allow postinstall rootfs:file rx_file_perms; |
| 29 | ') |
| 30 | |
| 31 | # |
| 32 | # For OTA dexopt. |
| 33 | # |
| 34 | |
| 35 | # Allow postinstall scripts to talk to the system server. |
| 36 | binder_use(postinstall) |
| 37 | binder_call(postinstall, system_server) |
| 38 | |
| 39 | # Need to talk to the otadexopt service. |
| 40 | allow postinstall otadexopt_service:service_manager find; |
| 41 | |
| 42 | # Allow postinstall scripts to trigger f2fs garbage collection |
| 43 | allow postinstall sysfs_fs_f2fs:file rw_file_perms; |
| 44 | allow postinstall sysfs_fs_f2fs:dir r_dir_perms; |
| 45 | |
| 46 | ### |
| 47 | ### Neverallow rules |
| 48 | ### |
| 49 | |
| 50 | # No domain other than update_engine and recovery (via update_engine_sideload) |
| 51 | # should transition to postinstall, as it is only meant to run during the |
| 52 | # update. |
| 53 | neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition }; |