1*e4a36f41SAndroid Build Coastguard Workertypeattribute postinstall coredomain; 2*e4a36f41SAndroid Build Coastguard Workertype postinstall_exec, system_file_type, exec_type, file_type; 3*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot) 4*e4a36f41SAndroid Build Coastguard Worker 5*e4a36f41SAndroid Build Coastguard Workerallow postinstall rootfs:dir r_dir_perms; 6*e4a36f41SAndroid Build Coastguard Worker 7*e4a36f41SAndroid Build Coastguard Worker# Allow invoking `pm` shell commands. 8*e4a36f41SAndroid Build Coastguard Workerallow postinstall package_service:service_manager find; 9*e4a36f41SAndroid Build Coastguard Worker 10*e4a36f41SAndroid Build Coastguard Worker# Allow postinstall to write to its stdout/stderr when redirected via pipes to 11*e4a36f41SAndroid Build Coastguard Worker# update_engine. 12*e4a36f41SAndroid Build Coastguard Workerallow postinstall update_engine_common:fd use; 13*e4a36f41SAndroid Build Coastguard Workerallow postinstall update_engine_common:fifo_file rw_file_perms; 14*e4a36f41SAndroid Build Coastguard Worker 15*e4a36f41SAndroid Build Coastguard Worker# Allow postinstall to read and execute directories and files in the same 16*e4a36f41SAndroid Build Coastguard Worker# mounted location. 17*e4a36f41SAndroid Build Coastguard Workerallow postinstall postinstall_file:file rx_file_perms; 18*e4a36f41SAndroid Build Coastguard Workerallow postinstall postinstall_file:lnk_file r_file_perms; 19*e4a36f41SAndroid Build Coastguard Workerallow postinstall postinstall_file:dir r_dir_perms; 20*e4a36f41SAndroid Build Coastguard Worker 21*e4a36f41SAndroid Build Coastguard Worker# Allow postinstall to execute the shell or other system executables. 22*e4a36f41SAndroid Build Coastguard Workerallow postinstall shell_exec:file rx_file_perms; 23*e4a36f41SAndroid Build Coastguard Workerallow postinstall system_file:file rx_file_perms; 24*e4a36f41SAndroid Build Coastguard Workerallow postinstall toolbox_exec:file rx_file_perms; 25*e4a36f41SAndroid Build Coastguard Worker 26*e4a36f41SAndroid Build Coastguard Worker# Allow postinstall to execute shell in recovery. 27*e4a36f41SAndroid Build Coastguard Workerrecovery_only(` 28*e4a36f41SAndroid Build Coastguard Worker allow postinstall rootfs:file rx_file_perms; 29*e4a36f41SAndroid Build Coastguard Worker') 30*e4a36f41SAndroid Build Coastguard Worker 31*e4a36f41SAndroid Build Coastguard Worker# 32*e4a36f41SAndroid Build Coastguard Worker# For OTA dexopt. 33*e4a36f41SAndroid Build Coastguard Worker# 34*e4a36f41SAndroid Build Coastguard Worker 35*e4a36f41SAndroid Build Coastguard Worker# Allow postinstall scripts to talk to the system server. 36*e4a36f41SAndroid Build Coastguard Workerbinder_use(postinstall) 37*e4a36f41SAndroid Build Coastguard Workerbinder_call(postinstall, system_server) 38*e4a36f41SAndroid Build Coastguard Worker 39*e4a36f41SAndroid Build Coastguard Worker# Need to talk to the otadexopt service. 40*e4a36f41SAndroid Build Coastguard Workerallow postinstall otadexopt_service:service_manager find; 41*e4a36f41SAndroid Build Coastguard Worker 42*e4a36f41SAndroid Build Coastguard Worker# Allow postinstall scripts to trigger f2fs garbage collection 43*e4a36f41SAndroid Build Coastguard Workerallow postinstall sysfs_fs_f2fs:file rw_file_perms; 44*e4a36f41SAndroid Build Coastguard Workerallow postinstall sysfs_fs_f2fs:dir r_dir_perms; 45*e4a36f41SAndroid Build Coastguard Worker 46*e4a36f41SAndroid Build Coastguard Worker### 47*e4a36f41SAndroid Build Coastguard Worker### Neverallow rules 48*e4a36f41SAndroid Build Coastguard Worker### 49*e4a36f41SAndroid Build Coastguard Worker 50*e4a36f41SAndroid Build Coastguard Worker# No domain other than update_engine and recovery (via update_engine_sideload) 51*e4a36f41SAndroid Build Coastguard Worker# should transition to postinstall, as it is only meant to run during the 52*e4a36f41SAndroid Build Coastguard Worker# update. 53*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition }; 54