1*e4a36f41SAndroid Build Coastguard Workertypeattribute update_engine coredomain; 2*e4a36f41SAndroid Build Coastguard Worker 3*e4a36f41SAndroid Build Coastguard Workerinit_daemon_domain(update_engine); 4*e4a36f41SAndroid Build Coastguard Worker 5*e4a36f41SAndroid Build Coastguard Worker# Allow to talk to gsid. 6*e4a36f41SAndroid Build Coastguard Workerallow update_engine gsi_service:service_manager find; 7*e4a36f41SAndroid Build Coastguard Workerbinder_call(update_engine, gsid) 8*e4a36f41SAndroid Build Coastguard Worker 9*e4a36f41SAndroid Build Coastguard Worker# Allow to start gsid service. 10*e4a36f41SAndroid Build Coastguard Workerset_prop(update_engine, ctl_gsid_prop) 11*e4a36f41SAndroid Build Coastguard Worker 12*e4a36f41SAndroid Build Coastguard Worker# Allow to start snapuserd for dm-user communication. 13*e4a36f41SAndroid Build Coastguard Workerset_prop(update_engine, ctl_snapuserd_prop) 14*e4a36f41SAndroid Build Coastguard Worker 15*e4a36f41SAndroid Build Coastguard Worker# Allow to set the OTA related properties, e.g. ota.warm_reset. 16*e4a36f41SAndroid Build Coastguard Workerset_prop(update_engine, ota_prop) 17*e4a36f41SAndroid Build Coastguard Workerget_prop(update_engine, ota_build_prop) 18*e4a36f41SAndroid Build Coastguard Worker 19*e4a36f41SAndroid Build Coastguard Worker# Allow to get the DSU status 20*e4a36f41SAndroid Build Coastguard Workerget_prop(update_engine, gsid_prop) 21*e4a36f41SAndroid Build Coastguard Worker 22*e4a36f41SAndroid Build Coastguard Worker# Allow update_engine to call the callback function provided by GKI update hook. 23*e4a36f41SAndroid Build Coastguard Workerbinder_call(update_engine, gki_apex_prepostinstall) 24*e4a36f41SAndroid Build Coastguard Worker 25*e4a36f41SAndroid Build Coastguard Worker# Allow update_engine to call the callback function by settings app 26*e4a36f41SAndroid Build Coastguard Worker# for the kernel update triggered using 16k developer option 27*e4a36f41SAndroid Build Coastguard Workerbinder_call(update_engine, system_app) 28*e4a36f41SAndroid Build Coastguard Worker 29*e4a36f41SAndroid Build Coastguard Worker# Allow to communicate with the snapuserd service, for dm-user snapshots. 30*e4a36f41SAndroid Build Coastguard Workerallow update_engine snapuserd:unix_stream_socket connectto; 31*e4a36f41SAndroid Build Coastguard Workerallow update_engine snapuserd_socket:sock_file write; 32*e4a36f41SAndroid Build Coastguard Workerget_prop(update_engine, snapuserd_prop) 33*e4a36f41SAndroid Build Coastguard Worker 34*e4a36f41SAndroid Build Coastguard Worker# Allow to communicate with apexd for calculating and reserving space for 35*e4a36f41SAndroid Build Coastguard Worker# capex decompression 36*e4a36f41SAndroid Build Coastguard Workerallow update_engine apex_service:service_manager find; 37*e4a36f41SAndroid Build Coastguard Workerbinder_call(update_engine, apexd) 38*e4a36f41SAndroid Build Coastguard Worker 39*e4a36f41SAndroid Build Coastguard Worker# let this domain use the hal service 40*e4a36f41SAndroid Build Coastguard Workerbinder_use(update_engine) 41*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(update_engine, hal_bootctl) 42*e4a36f41SAndroid Build Coastguard Worker 43*e4a36f41SAndroid Build Coastguard Workernet_domain(update_engine); 44*e4a36f41SAndroid Build Coastguard Worker 45*e4a36f41SAndroid Build Coastguard Worker# Following permissions are needed for update_engine. 46*e4a36f41SAndroid Build Coastguard Workerallow update_engine self:process { setsched }; 47*e4a36f41SAndroid Build Coastguard Workerallow update_engine self:global_capability_class_set { fowner sys_admin }; 48*e4a36f41SAndroid Build Coastguard Worker# Note: fsetid checks are triggered when creating a file in a directory with 49*e4a36f41SAndroid Build Coastguard Worker# the setgid bit set to determine if the file should inherit setgid. In this 50*e4a36f41SAndroid Build Coastguard Worker# case, setgid on the file is undesirable so we should just suppress the 51*e4a36f41SAndroid Build Coastguard Worker# denial. 52*e4a36f41SAndroid Build Coastguard Workerdontaudit update_engine self:global_capability_class_set fsetid; 53*e4a36f41SAndroid Build Coastguard Worker 54*e4a36f41SAndroid Build Coastguard Workerallow update_engine kmsg_device:chr_file { getattr w_file_perms }; 55*e4a36f41SAndroid Build Coastguard Workerallow update_engine update_engine_exec:file rx_file_perms; 56*e4a36f41SAndroid Build Coastguard Workerwakelock_use(update_engine); 57*e4a36f41SAndroid Build Coastguard Worker 58*e4a36f41SAndroid Build Coastguard Worker# Ignore these denials. 59*e4a36f41SAndroid Build Coastguard Workerdontaudit update_engine kernel:process setsched; 60*e4a36f41SAndroid Build Coastguard Workerdontaudit update_engine self:global_capability_class_set sys_rawio; 61*e4a36f41SAndroid Build Coastguard Worker 62*e4a36f41SAndroid Build Coastguard Worker# Allow using persistent storage in /data/misc/update_engine. 63*e4a36f41SAndroid Build Coastguard Workerallow update_engine update_engine_data_file:dir create_dir_perms; 64*e4a36f41SAndroid Build Coastguard Workerallow update_engine update_engine_data_file:file create_file_perms; 65*e4a36f41SAndroid Build Coastguard Worker 66*e4a36f41SAndroid Build Coastguard Worker# Allow using persistent storage in /data/misc/update_engine_log. 67*e4a36f41SAndroid Build Coastguard Workerallow update_engine update_engine_log_data_file:dir create_dir_perms; 68*e4a36f41SAndroid Build Coastguard Workerallow update_engine update_engine_log_data_file:file create_file_perms; 69*e4a36f41SAndroid Build Coastguard Worker 70*e4a36f41SAndroid Build Coastguard Worker# Register the service to perform Binder IPC. 71*e4a36f41SAndroid Build Coastguard Workerbinder_use(update_engine) 72*e4a36f41SAndroid Build Coastguard Workeradd_service(update_engine, update_engine_service) 73*e4a36f41SAndroid Build Coastguard Workeradd_service(update_engine, update_engine_stable_service) 74*e4a36f41SAndroid Build Coastguard Worker 75*e4a36f41SAndroid Build Coastguard Worker# Allow update_engine to call the callback function provided by priv_app/GMS core. 76*e4a36f41SAndroid Build Coastguard Workerbinder_call(update_engine, priv_app) 77*e4a36f41SAndroid Build Coastguard Worker# b/142672293: No other priv-app should need this rule now that GMS core runs in its own domain. 78*e4a36f41SAndroid Build Coastguard Workeruserdebug_or_eng(` 79*e4a36f41SAndroid Build Coastguard Worker auditallow update_engine priv_app:binder { call transfer }; 80*e4a36f41SAndroid Build Coastguard Worker auditallow priv_app update_engine:binder transfer; 81*e4a36f41SAndroid Build Coastguard Worker auditallow update_engine priv_app:fd use; 82*e4a36f41SAndroid Build Coastguard Worker') 83*e4a36f41SAndroid Build Coastguard Worker 84*e4a36f41SAndroid Build Coastguard Workerbinder_call(update_engine, gmscore_app) 85*e4a36f41SAndroid Build Coastguard Worker 86*e4a36f41SAndroid Build Coastguard Worker# Allow update_engine to call the callback function provided by system_server. 87*e4a36f41SAndroid Build Coastguard Workerbinder_call(update_engine, system_server) 88*e4a36f41SAndroid Build Coastguard Worker 89*e4a36f41SAndroid Build Coastguard Worker# Read OTA zip file at /data/ota_package/. 90*e4a36f41SAndroid Build Coastguard Workerallow update_engine ota_package_file:file r_file_perms; 91*e4a36f41SAndroid Build Coastguard Workerallow update_engine ota_package_file:dir r_dir_perms; 92*e4a36f41SAndroid Build Coastguard Worker 93*e4a36f41SAndroid Build Coastguard Worker# Use Boot Control HAL 94*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(update_engine, hal_bootctl) 95*e4a36f41SAndroid Build Coastguard Worker 96*e4a36f41SAndroid Build Coastguard Worker# access /proc/misc 97*e4a36f41SAndroid Build Coastguard Workerallow update_engine proc_misc:file r_file_perms; 98*e4a36f41SAndroid Build Coastguard Worker 99*e4a36f41SAndroid Build Coastguard Worker# read directories on /system and /vendor 100*e4a36f41SAndroid Build Coastguard Workerallow update_engine system_file:dir r_dir_perms; 101*e4a36f41SAndroid Build Coastguard Worker 102*e4a36f41SAndroid Build Coastguard Worker# Allow ReadDefaultFstab(). 103*e4a36f41SAndroid Build Coastguard Worker# update_engine tries to determine the parent path for all devices (e.g. 104*e4a36f41SAndroid Build Coastguard Worker# /dev/block/by-name) by reading the default fstab and looking for the misc 105*e4a36f41SAndroid Build Coastguard Worker# device. 106*e4a36f41SAndroid Build Coastguard Workerread_fstab(update_engine) 107*e4a36f41SAndroid Build Coastguard Worker 108*e4a36f41SAndroid Build Coastguard Worker# Allow to write to snapshotctl_log logs. 109*e4a36f41SAndroid Build Coastguard Worker# TODO(b/148818798) revert when parent bug is fixed. 110*e4a36f41SAndroid Build Coastguard Workeruserdebug_or_eng(` 111*e4a36f41SAndroid Build Coastguard Workerallow update_engine snapshotctl_log_data_file:dir rw_dir_perms; 112*e4a36f41SAndroid Build Coastguard Workerallow update_engine snapshotctl_log_data_file:file create_file_perms; 113*e4a36f41SAndroid Build Coastguard Worker') 114*e4a36f41SAndroid Build Coastguard Worker 115*e4a36f41SAndroid Build Coastguard Worker# Allow determining filesystems available on system. 116*e4a36f41SAndroid Build Coastguard Worker# Needed for checking if overlayfs is enabled 117*e4a36f41SAndroid Build Coastguard Workerallow update_engine proc_filesystems:file r_file_perms; 118*e4a36f41SAndroid Build Coastguard Worker 119*e4a36f41SAndroid Build Coastguard Workerallow update_engine vendor_boot_ota_file:dir { r_dir_perms }; 120*e4a36f41SAndroid Build Coastguard Workerallow update_engine vendor_boot_ota_file:file { r_file_perms }; 121