| Alex Klyubin | f5446eb | 2017-03-23 14:27:32 -0700 | [diff] [blame] | 1 | typeattribute update_verifier coredomain; |
| 2 | |
| dcashman | cc39f63 | 2016-07-22 13:13:11 -0700 | [diff] [blame] | 3 | init_daemon_domain(update_verifier) |
| Inseob Kim | 55e5c9b | 2020-03-04 17:20:35 +0900 | [diff] [blame] | 4 | |
| 5 | # Allow update_verifier to reboot the device. |
| 6 | set_prop(update_verifier, powerctl_prop) |
| 7 | |
| 8 | # Allow to set the OTA related properties e.g. ota.warm_reset. |
| 9 | set_prop(update_verifier, ota_prop) |
| Akilesh Kailash | 5fe8252 | 2022-03-23 18:50:23 +0000 | [diff] [blame] | 10 | |
| 11 | # allow update_verifier to connect to snapuserd daemon |
| 12 | allow update_verifier snapuserd_socket:sock_file write; |
| 13 | allow update_verifier snapuserd:unix_stream_socket connectto; |
| 14 | |
| 15 | # virtual a/b properties |
| 16 | get_prop(update_verifier, virtual_ab_prop) |
| Inseob Kim | 75806ef | 2024-03-27 17:18:41 +0900 | [diff] [blame] | 17 | |
| 18 | # Allow update_verifier to reach block devices in /dev/block. |
| 19 | allow update_verifier block_device:dir search; |
| 20 | |
| 21 | # Read care map in /data/ota_package/. |
| 22 | allow update_verifier ota_package_file:dir r_dir_perms; |
| 23 | allow update_verifier ota_package_file:file r_file_perms; |
| 24 | |
| 25 | # Read /sys/block to find all the DM directories like (/sys/block/dm-X). |
| 26 | allow update_verifier sysfs:dir r_dir_perms; |
| 27 | |
| 28 | # Read /sys/block/dm-X/dm/name (which is a symlink to |
| 29 | # /sys/devices/virtual/block/dm-X/dm/name) to identify the mapping between |
| 30 | # dm-X and system/vendor partitions. |
| 31 | allow update_verifier sysfs_dm:dir r_dir_perms; |
| 32 | allow update_verifier sysfs_dm:file r_file_perms; |
| 33 | |
| 34 | # Read all blocks in DM wrapped system partition. |
| 35 | allow update_verifier dm_device:blk_file r_file_perms; |
| 36 | |
| 37 | # Write to kernel message. |
| 38 | allow update_verifier kmsg_device:chr_file { getattr w_file_perms }; |
| 39 | |
| 40 | # Use Boot Control HAL |
| 41 | hal_client_domain(update_verifier, hal_bootctl) |
| 42 | |
| 43 | # Access Checkpoint commands over binder |
| 44 | allow update_verifier vold_service:service_manager find; |
| 45 | binder_call(update_verifier, servicemanager) |
| 46 | binder_call(update_verifier, vold) |