Home | History | Annotate | Download | only in public 
      1 # Domain for update_engine daemon.
      2 type update_engine, domain, update_engine_common;
      3 type update_engine_exec, exec_type, file_type;
      4 
      5 net_domain(update_engine);
      6 
      7 # Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid to tag network
      8 # sockets.
      9 allow update_engine qtaguid_proc:file rw_file_perms;
     10 allow update_engine qtaguid_device:chr_file r_file_perms;
     11 
     12 # Following permissions are needed for update_engine.
     13 allow update_engine self:process { setsched };
     14 allow update_engine self:global_capability_class_set { fowner sys_admin };
     15 # Note: fsetid checks are triggered when creating a file in a directory with
     16 # the setgid bit set to determine if the file should inherit setgid. In this
     17 # case, setgid on the file is undesirable so we should just suppress the
     18 # denial.
     19 dontaudit update_engine self:global_capability_class_set fsetid;
     20 
     21 allow update_engine kmsg_device:chr_file w_file_perms;
     22 allow update_engine update_engine_exec:file rx_file_perms;
     23 wakelock_use(update_engine);
     24 
     25 # Ignore these denials.
     26 dontaudit update_engine kernel:process setsched;
     27 dontaudit update_engine self:capability sys_rawio;
     28 
     29 # Allow using persistent storage in /data/misc/update_engine.
     30 allow update_engine update_engine_data_file:dir create_dir_perms;
     31 allow update_engine update_engine_data_file:file create_file_perms;
     32 
     33 # Allow using persistent storage in /data/misc/update_engine_log.
     34 allow update_engine update_engine_log_data_file:dir create_dir_perms;
     35 allow update_engine update_engine_log_data_file:file create_file_perms;
     36 
     37 # Don't allow kernel module loading, just silence the logs.
     38 dontaudit update_engine kernel:system module_request;
     39 
     40 # Register the service to perform Binder IPC.
     41 binder_use(update_engine)
     42 add_service(update_engine, update_engine_service)
     43 
     44 # Allow update_engine to call the callback function provided by priv_app.
     45 binder_call(update_engine, priv_app)
     46 
     47 # Read OTA zip file at /data/ota_package/.
     48 allow update_engine ota_package_file:file r_file_perms;
     49 allow update_engine ota_package_file:dir r_dir_perms;
     50 
     51 # Use Boot Control HAL
     52 hal_client_domain(update_engine, hal_bootctl)
     53 
     54 # access /proc/misc
     55 allow update_engine proc_misc:file r_file_perms;
     56 
     57 # read directories on /system and /vendor
     58 allow update_engine system_file:dir r_dir_perms;
     59