1*e4a36f41SAndroid Build Coastguard Worker# Domain where the postinstall program runs during the update. 2*e4a36f41SAndroid Build Coastguard Worker# Extend the permissions in this domain to allow this program to access other 3*e4a36f41SAndroid Build Coastguard Worker# files needed by the specific device on your device's sepolicy directory. 4*e4a36f41SAndroid Build Coastguard Workertype postinstall, domain; 5*e4a36f41SAndroid Build Coastguard Worker 6*e4a36f41SAndroid Build Coastguard Worker# Allow postinstall to write to its stdout/stderr when redirected via pipes to 7*e4a36f41SAndroid Build Coastguard Worker# update_engine. 8*e4a36f41SAndroid Build Coastguard Workerallow postinstall update_engine_common:fd use; 9*e4a36f41SAndroid Build Coastguard Workerallow postinstall update_engine_common:fifo_file rw_file_perms; 10*e4a36f41SAndroid Build Coastguard Worker 11*e4a36f41SAndroid Build Coastguard Worker# Allow postinstall to read and execute directories and files in the same 12*e4a36f41SAndroid Build Coastguard Worker# mounted location. 13*e4a36f41SAndroid Build Coastguard Workerallow postinstall postinstall_file:file rx_file_perms; 14*e4a36f41SAndroid Build Coastguard Workerallow postinstall postinstall_file:lnk_file r_file_perms; 15*e4a36f41SAndroid Build Coastguard Workerallow postinstall postinstall_file:dir r_dir_perms; 16*e4a36f41SAndroid Build Coastguard Worker 17*e4a36f41SAndroid Build Coastguard Worker# Allow postinstall to execute the shell or other system executables. 18*e4a36f41SAndroid Build Coastguard Workerallow postinstall shell_exec:file rx_file_perms; 19*e4a36f41SAndroid Build Coastguard Workerallow postinstall system_file:file rx_file_perms; 20*e4a36f41SAndroid Build Coastguard Workerallow postinstall toolbox_exec:file rx_file_perms; 21*e4a36f41SAndroid Build Coastguard Worker 22*e4a36f41SAndroid Build Coastguard Worker# Allow postinstall to execute shell in recovery. 23*e4a36f41SAndroid Build Coastguard Workerrecovery_only(` 24*e4a36f41SAndroid Build Coastguard Worker allow postinstall rootfs:file rx_file_perms; 25*e4a36f41SAndroid Build Coastguard Worker') 26*e4a36f41SAndroid Build Coastguard Worker 27*e4a36f41SAndroid Build Coastguard Worker# 28*e4a36f41SAndroid Build Coastguard Worker# For OTA dexopt. 29*e4a36f41SAndroid Build Coastguard Worker# 30*e4a36f41SAndroid Build Coastguard Worker 31*e4a36f41SAndroid Build Coastguard Worker# Allow postinstall scripts to talk to the system server. 32*e4a36f41SAndroid Build Coastguard Workerbinder_use(postinstall) 33*e4a36f41SAndroid Build Coastguard Workerbinder_call(postinstall, system_server) 34*e4a36f41SAndroid Build Coastguard Worker 35*e4a36f41SAndroid Build Coastguard Worker# Need to talk to the otadexopt service. 36*e4a36f41SAndroid Build Coastguard Workerallow postinstall otadexopt_service:service_manager find; 37*e4a36f41SAndroid Build Coastguard Worker 38*e4a36f41SAndroid Build Coastguard Worker# Allow postinstall scripts to trigger f2fs garbage collection 39*e4a36f41SAndroid Build Coastguard Workerallow postinstall sysfs_fs_f2fs:file rw_file_perms; 40*e4a36f41SAndroid Build Coastguard Workerallow postinstall sysfs_fs_f2fs:dir r_dir_perms; 41*e4a36f41SAndroid Build Coastguard Worker 42*e4a36f41SAndroid Build Coastguard Worker# No domain other than update_engine and recovery (via update_engine_sideload) 43*e4a36f41SAndroid Build Coastguard Worker# should transition to postinstall, as it is only meant to run during the 44*e4a36f41SAndroid Build Coastguard Worker# update. 45*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition }; 46