1 # Domain for update_engine daemon. 2 type update_engine, domain, update_engine_common; 3 type update_engine_exec, exec_type, file_type; 4 5 net_domain(update_engine); 6 7 # Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid to tag network 8 # sockets. 9 allow update_engine qtaguid_proc:file rw_file_perms; 10 allow update_engine qtaguid_device:chr_file r_file_perms; 11 12 # Following permissions are needed for update_engine. 13 allow update_engine self:process { setsched }; 14 allow update_engine self:capability { fowner sys_admin }; 15 allow update_engine kmsg_device:chr_file w_file_perms; 16 allow update_engine update_engine_exec:file rx_file_perms; 17 wakelock_use(update_engine); 18 19 # Ignore these denials. 20 dontaudit update_engine kernel:process setsched; 21 22 # Allow using persistent storage in /data/misc/update_engine. 23 allow update_engine update_engine_data_file:dir { create_dir_perms }; 24 allow update_engine update_engine_data_file:file { create_file_perms }; 25 26 # Don't allow kernel module loading, just silence the logs. 27 dontaudit update_engine kernel:system module_request; 28 29 # Register the service to perform Binder IPC. 30 binder_use(update_engine) 31 add_service(update_engine, update_engine_service) 32 33 # Allow update_engine to call the callback function provided by priv_app. 34 binder_call(update_engine, priv_app) 35 36 # Read OTA zip file at /data/ota_package/. 37 allow update_engine ota_package_file:file r_file_perms; 38 allow update_engine ota_package_file:dir r_dir_perms; 39 40 # Use Boot Control HAL 41 hal_client_domain(update_engine, hal_bootctl) 42
