1*e4a36f41SAndroid Build Coastguard Worker# update_engine payload application permissions. These are shared between the 2*e4a36f41SAndroid Build Coastguard Worker# background daemon and the recovery tool to sideload an update. 3*e4a36f41SAndroid Build Coastguard Worker 4*e4a36f41SAndroid Build Coastguard Worker# type_transition must be private policy the domain_trans rules could stay 5*e4a36f41SAndroid Build Coastguard Worker# public, but conceptually should go with this 6*e4a36f41SAndroid Build Coastguard Worker# The postinstall program is run by update_engine_common and must be tagged 7*e4a36f41SAndroid Build Coastguard Worker# with postinstall_exec in the new filesystem. 8*e4a36f41SAndroid Build Coastguard Worker# TODO Have build system attempt to verify this 9*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(update_engine_common, postinstall_exec, postinstall) 10*e4a36f41SAndroid Build Coastguard Worker 11*e4a36f41SAndroid Build Coastguard Worker# Vendor directories can have the transition as well during OTA. This is caused 12*e4a36f41SAndroid Build Coastguard Worker# by update_engine execing scripts in vendor to perform any update tasks needed 13*e4a36f41SAndroid Build Coastguard Worker# there. 14*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(update_engine_common, postinstall_file, postinstall) 15*e4a36f41SAndroid Build Coastguard Worker 16*e4a36f41SAndroid Build Coastguard Worker# Allow update_engine to reach block devices in /dev/block. 17*e4a36f41SAndroid Build Coastguard Workerallow update_engine_common block_device:dir search; 18*e4a36f41SAndroid Build Coastguard Worker 19*e4a36f41SAndroid Build Coastguard Worker# Allow read/write on system and boot partitions. 20*e4a36f41SAndroid Build Coastguard Workerallow update_engine_common boot_block_device:blk_file rw_file_perms; 21*e4a36f41SAndroid Build Coastguard Workerallow update_engine_common system_block_device:blk_file rw_file_perms; 22*e4a36f41SAndroid Build Coastguard Worker 23*e4a36f41SAndroid Build Coastguard Worker# Where ioctls are granted via standard allow rules to block devices, 24*e4a36f41SAndroid Build Coastguard Worker# automatically allow common ioctls that are generally needed by 25*e4a36f41SAndroid Build Coastguard Worker# update_engine. 26*e4a36f41SAndroid Build Coastguard Workerallowxperm update_engine_common dev_type:blk_file ioctl { 27*e4a36f41SAndroid Build Coastguard Worker BLKDISCARD 28*e4a36f41SAndroid Build Coastguard Worker BLKDISCARDZEROES 29*e4a36f41SAndroid Build Coastguard Worker BLKROGET 30*e4a36f41SAndroid Build Coastguard Worker BLKROSET 31*e4a36f41SAndroid Build Coastguard Worker BLKSECDISCARD 32*e4a36f41SAndroid Build Coastguard Worker BLKZEROOUT 33*e4a36f41SAndroid Build Coastguard Worker}; 34*e4a36f41SAndroid Build Coastguard Worker 35*e4a36f41SAndroid Build Coastguard Worker# Allow to set recovery options in the BCB. Used to trigger factory reset when 36*e4a36f41SAndroid Build Coastguard Worker# the update to an older version (channel change) or incompatible version 37*e4a36f41SAndroid Build Coastguard Worker# requires it. 38*e4a36f41SAndroid Build Coastguard Workerallow update_engine_common misc_block_device:blk_file rw_file_perms; 39*e4a36f41SAndroid Build Coastguard Worker 40*e4a36f41SAndroid Build Coastguard Worker# read fstab 41*e4a36f41SAndroid Build Coastguard Workerallow update_engine_common rootfs:dir getattr; 42*e4a36f41SAndroid Build Coastguard Workerallow update_engine_common rootfs:file r_file_perms; 43*e4a36f41SAndroid Build Coastguard Worker 44*e4a36f41SAndroid Build Coastguard Worker# Allow update_engine_common to mount on the /postinstall directory and reset the 45*e4a36f41SAndroid Build Coastguard Worker# labels on the mounted filesystem to postinstall_file. 46*e4a36f41SAndroid Build Coastguard Workerallow update_engine_common postinstall_mnt_dir:dir { mounton getattr search }; 47*e4a36f41SAndroid Build Coastguard Workerallow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto }; 48*e4a36f41SAndroid Build Coastguard Workerallow update_engine_common labeledfs:filesystem { mount unmount relabelfrom }; 49*e4a36f41SAndroid Build Coastguard Worker 50*e4a36f41SAndroid Build Coastguard Worker# Allow update_engine_common to read and execute postinstall_file. 51*e4a36f41SAndroid Build Coastguard Workerallow update_engine_common postinstall_file:file rx_file_perms; 52*e4a36f41SAndroid Build Coastguard Workerallow update_engine_common postinstall_file:lnk_file r_file_perms; 53*e4a36f41SAndroid Build Coastguard Workerallow update_engine_common postinstall_file:dir r_dir_perms; 54*e4a36f41SAndroid Build Coastguard Worker 55*e4a36f41SAndroid Build Coastguard Worker# install update.zip from cache 56*e4a36f41SAndroid Build Coastguard Workerr_dir_file(update_engine_common, cache_file) 57*e4a36f41SAndroid Build Coastguard Worker 58*e4a36f41SAndroid Build Coastguard Worker# A postinstall program is typically a shell script (with a #!), so we allow 59*e4a36f41SAndroid Build Coastguard Worker# to execute those. 60*e4a36f41SAndroid Build Coastguard Workerallow update_engine_common shell_exec:file rx_file_perms; 61*e4a36f41SAndroid Build Coastguard Worker 62*e4a36f41SAndroid Build Coastguard Worker# Allow update_engine_common to suspend, resume and kill the postinstall program. 63*e4a36f41SAndroid Build Coastguard Workerallow update_engine_common postinstall:process { signal sigstop sigkill }; 64*e4a36f41SAndroid Build Coastguard Worker 65*e4a36f41SAndroid Build Coastguard Worker# access /proc/cmdline 66*e4a36f41SAndroid Build Coastguard Workerallow update_engine_common proc_cmdline:file r_file_perms; 67*e4a36f41SAndroid Build Coastguard Worker 68*e4a36f41SAndroid Build Coastguard Worker# Read files in /sys/firmware/devicetree/base/firmware/android/ 69*e4a36f41SAndroid Build Coastguard Workerr_dir_file(update_engine_common, sysfs_dt_firmware_android) 70*e4a36f41SAndroid Build Coastguard Worker 71*e4a36f41SAndroid Build Coastguard Worker# Needed because libdm reads sysfs to validate when a dm path is ready. 72*e4a36f41SAndroid Build Coastguard Workerr_dir_file(update_engine_common, sysfs_dm) 73*e4a36f41SAndroid Build Coastguard Worker 74*e4a36f41SAndroid Build Coastguard Worker# Scan files in /sys/fs/ext4 and /sys/fs/f2fs for device-mapper diagnostics. 75*e4a36f41SAndroid Build Coastguard Workerallow update_engine_common sysfs:dir r_dir_perms; 76*e4a36f41SAndroid Build Coastguard Workerallow update_engine_common sysfs_fs_f2fs:dir r_dir_perms; 77*e4a36f41SAndroid Build Coastguard Worker 78*e4a36f41SAndroid Build Coastguard Worker# read / write on /dev/device-mapper to map / unmap devices 79*e4a36f41SAndroid Build Coastguard Workerallow update_engine_common dm_device:chr_file rw_file_perms; 80*e4a36f41SAndroid Build Coastguard Worker 81*e4a36f41SAndroid Build Coastguard Worker# apply / verify updates on devices mapped via device mapper 82*e4a36f41SAndroid Build Coastguard Workerallow update_engine_common dm_device:blk_file rw_file_perms; 83*e4a36f41SAndroid Build Coastguard Worker 84*e4a36f41SAndroid Build Coastguard Worker# read /dev/dm-user, so that we can inotify wait for control devices to be 85*e4a36f41SAndroid Build Coastguard Worker# asynchronously created by ueventd. 86*e4a36f41SAndroid Build Coastguard Workerallow update_engine dm_user_device:dir r_dir_perms; 87*e4a36f41SAndroid Build Coastguard Workerallow update_engine dm_user_device:chr_file r_file_perms; 88*e4a36f41SAndroid Build Coastguard Worker 89*e4a36f41SAndroid Build Coastguard Worker# read / write metadata on super device to resize partitions 90*e4a36f41SAndroid Build Coastguard Workerallow update_engine_common super_block_device_type:blk_file rw_file_perms; 91*e4a36f41SAndroid Build Coastguard Worker 92*e4a36f41SAndroid Build Coastguard Worker# ioctl on super device to get block device alignment and alignment offset 93*e4a36f41SAndroid Build Coastguard Workerallowxperm update_engine_common super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF }; 94*e4a36f41SAndroid Build Coastguard Worker 95*e4a36f41SAndroid Build Coastguard Worker# get physical block device to map logical partitions on device mapper 96*e4a36f41SAndroid Build Coastguard Workerallow update_engine_common block_device:dir r_dir_perms; 97*e4a36f41SAndroid Build Coastguard Worker 98*e4a36f41SAndroid Build Coastguard Worker# Allow update_engine_common to write to statsd socket. 99*e4a36f41SAndroid Build Coastguard Workerunix_socket_send(update_engine_common, statsdw, statsd) 100*e4a36f41SAndroid Build Coastguard Worker 101*e4a36f41SAndroid Build Coastguard Worker# Allow to read Virtual A/B feature flags. 102*e4a36f41SAndroid Build Coastguard Workerget_prop(update_engine_common, virtual_ab_prop) 103*e4a36f41SAndroid Build Coastguard Worker 104*e4a36f41SAndroid Build Coastguard Worker# Allow to read GKI related flags. 105*e4a36f41SAndroid Build Coastguard Workerget_prop(update_engine_common, ab_update_gki_prop) 106*e4a36f41SAndroid Build Coastguard Workerget_prop(update_engine_common, build_bootimage_prop) 107*e4a36f41SAndroid Build Coastguard Worker 108*e4a36f41SAndroid Build Coastguard Worker# Allow to read/write/create OTA metadata files for snapshot status and COW file status. 109*e4a36f41SAndroid Build Coastguard Workerallow update_engine_common metadata_file:dir search; 110*e4a36f41SAndroid Build Coastguard Workerallow update_engine_common ota_metadata_file:dir { rw_dir_perms rmdir }; 111*e4a36f41SAndroid Build Coastguard Workerallow update_engine_common ota_metadata_file:file create_file_perms; 112