1# Domain for update_engine daemon. 2type update_engine, domain, update_engine_common; 3type update_engine_exec, system_file_type, exec_type, file_type; 4 5net_domain(update_engine); 6 7# Following permissions are needed for update_engine. 8allow update_engine self:process { setsched }; 9allow update_engine self:global_capability_class_set { fowner sys_admin }; 10# Note: fsetid checks are triggered when creating a file in a directory with 11# the setgid bit set to determine if the file should inherit setgid. In this 12# case, setgid on the file is undesirable so we should just suppress the 13# denial. 14dontaudit update_engine self:global_capability_class_set fsetid; 15 16allow update_engine kmsg_device:chr_file { getattr w_file_perms }; 17allow update_engine update_engine_exec:file rx_file_perms; 18wakelock_use(update_engine); 19 20# Ignore these denials. 21dontaudit update_engine kernel:process setsched; 22dontaudit update_engine self:global_capability_class_set sys_rawio; 23 24# Allow using persistent storage in /data/misc/update_engine. 25allow update_engine update_engine_data_file:dir create_dir_perms; 26allow update_engine update_engine_data_file:file create_file_perms; 27 28# Allow using persistent storage in /data/misc/update_engine_log. 29allow update_engine update_engine_log_data_file:dir create_dir_perms; 30allow update_engine update_engine_log_data_file:file create_file_perms; 31 32# Register the service to perform Binder IPC. 33binder_use(update_engine) 34add_service(update_engine, update_engine_service) 35add_service(update_engine, update_engine_stable_service) 36 37# Allow update_engine to call the callback function provided by priv_app/GMS core. 38binder_call(update_engine, priv_app) 39# b/142672293: No other priv-app should need this rule now that GMS core runs in its own domain. 40userdebug_or_eng(` 41 auditallow update_engine priv_app:binder { call transfer }; 42 auditallow priv_app update_engine:binder transfer; 43 auditallow update_engine priv_app:fd use; 44') 45 46binder_call(update_engine, gmscore_app) 47 48# Allow update_engine to call the callback function provided by system_server. 49binder_call(update_engine, system_server) 50 51# Read OTA zip file at /data/ota_package/. 52allow update_engine ota_package_file:file r_file_perms; 53allow update_engine ota_package_file:dir r_dir_perms; 54 55# Use Boot Control HAL 56hal_client_domain(update_engine, hal_bootctl) 57 58# access /proc/misc 59allow update_engine proc_misc:file r_file_perms; 60 61# read directories on /system and /vendor 62allow update_engine system_file:dir r_dir_perms; 63 64# Allow ReadDefaultFstab(). 65# update_engine tries to determine the parent path for all devices (e.g. 66# /dev/block/by-name) by reading the default fstab and looking for the misc 67# device. 68read_fstab(update_engine) 69 70# Allow to write to snapshotctl_log logs. 71# TODO(b/148818798) revert when parent bug is fixed. 72userdebug_or_eng(` 73allow update_engine snapshotctl_log_data_file:dir rw_dir_perms; 74allow update_engine snapshotctl_log_data_file:file create_file_perms; 75') 76 77# Allow determining filesystems available on system. 78# Needed for checking if overlayfs is enabled 79allow update_engine proc_filesystems:file r_file_perms; 80