1 # Domain for update_engine daemon. 2 # update_engine uses the boot_control_hal. 3 type update_engine, domain, domain_deprecated, update_engine_common, boot_control_hal; 4 type update_engine_exec, exec_type, file_type; 5 type update_engine_data_file, file_type, data_file_type; 6 7 init_daemon_domain(update_engine); 8 net_domain(update_engine); 9 10 # Following permissions are needed for update_engine. 11 allow update_engine self:process { setsched }; 12 allow update_engine self:capability { fowner sys_admin }; 13 allow update_engine kmsg_device:chr_file w_file_perms; 14 allow update_engine update_engine_exec:file rx_file_perms; 15 wakelock_use(update_engine); 16 17 # Ignore these denials. 18 dontaudit update_engine kernel:process setsched; 19 20 # Allow using persistent storage in /data/misc/update_engine. 21 allow update_engine update_engine_data_file:dir { create_dir_perms }; 22 allow update_engine update_engine_data_file:file { create_file_perms }; 23 24 # Don't allow kernel module loading, just silence the logs. 25 dontaudit update_engine kernel:system module_request; 26 27 # Register the service to perform Binder IPC. 28 binder_use(update_engine) 29 allow update_engine update_engine_service:service_manager { add }; 30 31 # Allow update_engine to call the callback function provided by priv_app. 32 binder_call(update_engine, priv_app) 33 34 # Read OTA zip file at /data/ota_package/. 35 allow update_engine ota_package_file:file r_file_perms; 36 allow update_engine ota_package_file:dir r_dir_perms; 37
