1 # Domain where the postinstall program runs during the update. 2 # Extend the permissions in this domain to allow this program to access other 3 # files needed by the specific device on your device's sepolicy directory. 4 type postinstall, domain; 5 6 # Allow postinstall to write to its stdout/stderr when redirected via pipes to 7 # update_engine. 8 allow postinstall update_engine_common:fd use; 9 allow postinstall update_engine_common:fifo_file rw_file_perms; 10 11 # Allow postinstall to read and execute directories and files in the same 12 # mounted location. 13 allow postinstall postinstall_file:file rx_file_perms; 14 allow postinstall postinstall_file:lnk_file r_file_perms; 15 allow postinstall postinstall_file:dir r_dir_perms; 16 17 # Allow postinstall to execute the shell or other system executables. 18 allow postinstall shell_exec:file rx_file_perms; 19 allow postinstall system_file:file rx_file_perms; 20 allow postinstall toolbox_exec:file rx_file_perms; 21 22 # 23 # For OTA dexopt. 24 # 25 26 # Allow postinstall scripts to talk to the system server. 27 binder_use(postinstall) 28 binder_call(postinstall, system_server) 29 30 # Need to talk to the otadexopt service. 31 allow postinstall otadexopt_service:service_manager find; 32 33 domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot) 34 35 # No domain other than update_engine and recovery (via update_engine_sideload) 36 # should transition to postinstall, as it is only meant to run during the 37 # update. 38 neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition }; 39
