sepolicy/private/update_engine.te - android_vendor_omni - Gitiles

 r_dir_file(update_engine, mnt_user_file)
 r_dir_file(update_engine, storage_file)
 r_dir_file(update_engine, fuse)

 allow update_engine self:capability { chown fsetid dac_read_search };
 allow update_engine self:process { setexec };

 allow update_engine labeledfs:filesystem { mount unmount };

 allow update_engine { otapreopt_chroot_exec toolbox_exec }:file rx_file_perms;

 allow update_engine labeledfs:filesystem mount;
 allow update_engine rootfs:file { rx_file_perms relabelfrom rename setattr unlink };
 allow update_engine rootfs:dir { create write open add_name read rmdir remove_name };

 allow update_engine system_data_file:file { create read write open unlink };
 allow update_engine system_data_file:dir { create write add_name read remove_name unlink };

 allow update_engine system_file:file { create setattr write relabelto relabelfrom rename rx_file_perms unlink };
 allow update_engine system_file:dir { create setattr write rmdir remove_name add_name setattr };

 allow update_engine storage_file:lnk_file read;
 allow update_engine toolbox_exec:file { execute getattr };

 allow update_engine sepolicy_file:file { append };

 allow update_engine gsi_metadata_file:dir search;
 allow update_engine metadata_file:dir { getattr search };
 allow update_engine rootfs:file { append create write };
 #####
 allow update_engine proc_filesystems:file { getattr open read };
 allow update_engine system_file:lnk_file { create rename };
 allow update_engine system_lib_file:dir { add_name setattr write };
 allow update_engine system_lib_file:file { create relabelfrom setattr write };

 #allow update_engine vendor_overlay_file:dir { getattr search };
 allow update_engine vendor_overlay_file:file { getattr read };
 allow update_engine linkerconfig_file:dir { getattr };
 allow update_engine update_engine:capability { kill };
 allow update_engine otadexopt_service:service_manager find;
 binder_call(update_engine, platform_app)

 # Allow transition to backuptool domain
 domain_trans(update_engine, otapreopt_chroot_exec, backuptool)
	r_dir_file(update_engine, mnt_user_file)
	r_dir_file(update_engine, storage_file)
	r_dir_file(update_engine, fuse)

	allow update_engine self:capability { chown fsetid dac_read_search };
	allow update_engine self:process { setexec };

	allow update_engine labeledfs:filesystem { mount unmount };

	allow update_engine { otapreopt_chroot_exec toolbox_exec }:file rx_file_perms;

	allow update_engine labeledfs:filesystem mount;
	allow update_engine rootfs:file { rx_file_perms relabelfrom rename setattr unlink };
	allow update_engine rootfs:dir { create write open add_name read rmdir remove_name };

	allow update_engine system_data_file:file { create read write open unlink };
	allow update_engine system_data_file:dir { create write add_name read remove_name unlink };

	allow update_engine system_file:file { create setattr write relabelto relabelfrom rename rx_file_perms unlink };
	allow update_engine system_file:dir { create setattr write rmdir remove_name add_name setattr };

	allow update_engine storage_file:lnk_file read;
	allow update_engine toolbox_exec:file { execute getattr };

	allow update_engine sepolicy_file:file { append };

	allow update_engine gsi_metadata_file:dir search;
	allow update_engine metadata_file:dir { getattr search };
	allow update_engine rootfs:file { append create write };
	#####
	allow update_engine proc_filesystems:file { getattr open read };
	allow update_engine system_file:lnk_file { create rename };
	allow update_engine system_lib_file:dir { add_name setattr write };
	allow update_engine system_lib_file:file { create relabelfrom setattr write };

	#allow update_engine vendor_overlay_file:dir { getattr search };
	allow update_engine vendor_overlay_file:file { getattr read };
	allow update_engine linkerconfig_file:dir { getattr };
	allow update_engine update_engine:capability { kill };
	allow update_engine otadexopt_service:service_manager find;
	binder_call(update_engine, platform_app)

	# Allow transition to backuptool domain
	domain_trans(update_engine, otapreopt_chroot_exec, backuptool)