Gitiles
Code Review Sign In
gerrit.omnirom.org / android_vendor_omni / 96d747b4ca47a67cb6a708bd01ce9e90909e5324 / . / sepolicy / private / update_engine.te
blob: e5f71523c39974843e5bc6f7aa28c622df78503e [file] [log] [blame]
Marko Mane2e1d7e2018-08-26 23:15:26 +0200[diff] [blame]1r_dir_file(update_engine, mnt_user_file)
2r_dir_file(update_engine, storage_file)
maxwen95383d62022-11-13 15:24:22 +0100[diff] [blame]3r_dir_file(update_engine, fuse)
Marko Mane2e1d7e2018-08-26 23:15:26 +0200[diff] [blame]4
Marko Man52470792020-10-24 23:17:07 +0200[diff] [blame]5allow update_engine self:capability { chown fsetid dac_read_search };
Marko Man07f6ad92020-03-15 23:29:09 +0100[diff] [blame]6allow update_engine self:process { setexec };
Marko Mane2e1d7e2018-08-26 23:15:26 +0200[diff] [blame]7
8allow update_engine labeledfs:filesystem { mount unmount };
9
maxwen1630ca72018-10-03 19:13:17 +0200[diff] [blame]10allow update_engine { otapreopt_chroot_exec toolbox_exec }:file rx_file_perms;
Marko Manf2b9bf92018-09-01 19:21:27 +0200[diff] [blame]11
12allow update_engine labeledfs:filesystem mount;
Marko Manbe9caa02019-10-11 10:35:54 +0200[diff] [blame]13allow update_engine rootfs:file { rx_file_perms relabelfrom rename setattr unlink };
maxwen1630ca72018-10-03 19:13:17 +0200[diff] [blame]14allow update_engine rootfs:dir { create write open add_name read rmdir remove_name };
15
16allow update_engine system_data_file:file { create read write open unlink };
17allow update_engine system_data_file:dir { create write add_name read remove_name unlink };
18
micky3872e3cf9d2021-01-13 02:39:36 +0100[diff] [blame]19allow update_engine system_file:file { create setattr write relabelto relabelfrom rename rx_file_perms unlink };
Marko Manbe9caa02019-10-11 10:35:54 +0200[diff] [blame]20allow update_engine system_file:dir { create setattr write rmdir remove_name add_name setattr };
maxwen1630ca72018-10-03 19:13:17 +0200[diff] [blame]21
Marko Manf2b9bf92018-09-01 19:21:27 +0200[diff] [blame]22allow update_engine storage_file:lnk_file read;
Marko Manf2b9bf92018-09-01 19:21:27 +0200[diff] [blame]23allow update_engine toolbox_exec:file { execute getattr };
Marko Mand83e01d2019-08-07 13:35:03 +0200[diff] [blame]24
25allow update_engine sepolicy_file:file { append };
Marko Manf3953cf2019-09-29 00:02:17 +0200[diff] [blame]26
27allow update_engine gsi_metadata_file:dir search;
micky3872e3cf9d2021-01-13 02:39:36 +0100[diff] [blame]28allow update_engine metadata_file:dir { getattr search };
29allow update_engine rootfs:file { append create write };
Marko Manbe9caa02019-10-11 10:35:54 +0200[diff] [blame]30#####
31allow update_engine proc_filesystems:file { getattr open read };
32allow update_engine system_file:lnk_file { create rename };
micky387489416d2020-03-16 21:29:14 +0100[diff] [blame]33allow update_engine system_lib_file:dir { add_name setattr write };
micky3872e3cf9d2021-01-13 02:39:36 +0100[diff] [blame]34allow update_engine system_lib_file:file { create relabelfrom setattr write };
Marko Manf3953cf2019-09-29 00:02:17 +0200[diff] [blame]35
micky3872e3cf9d2021-01-13 02:39:36 +0100[diff] [blame]36#allow update_engine vendor_overlay_file:dir { getattr search };
37allow update_engine vendor_overlay_file:file { getattr read };
38allow update_engine linkerconfig_file:dir { getattr };
micky3872e3cf9d2021-01-13 02:39:36 +0100[diff] [blame]39allow update_engine update_engine:capability { kill };
micky387853ec772022-08-28 12:09:20 +0200[diff] [blame]40allow update_engine otadexopt_service:service_manager find;
41binder_call(update_engine, platform_app)
Luca Stefani96d747b2019-01-03 22:50:44 +0100[diff] [blame^]42
43# Allow transition to backuptool domain
44domain_trans(update_engine, otapreopt_chroot_exec, backuptool)