xref: /aosp_15_r20/system/sepolicy/private/update_verifier.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1typeattribute update_verifier coredomain;
2
3init_daemon_domain(update_verifier)
4
5# Allow update_verifier to reboot the device.
6set_prop(update_verifier, powerctl_prop)
7
8# Allow to set the OTA related properties e.g. ota.warm_reset.
9set_prop(update_verifier, ota_prop)
10
11# allow update_verifier to connect to snapuserd daemon
12allow update_verifier snapuserd_socket:sock_file write;
13allow update_verifier snapuserd:unix_stream_socket connectto;
14
15# virtual a/b properties
16get_prop(update_verifier, virtual_ab_prop)
17
18# Allow update_verifier to reach block devices in /dev/block.
19allow update_verifier block_device:dir search;
20
21# Read care map in /data/ota_package/.
22allow update_verifier ota_package_file:dir r_dir_perms;
23allow update_verifier ota_package_file:file r_file_perms;
24
25# Read /sys/block to find all the DM directories like (/sys/block/dm-X).
26allow update_verifier sysfs:dir r_dir_perms;
27
28# Read /sys/block/dm-X/dm/name (which is a symlink to
29# /sys/devices/virtual/block/dm-X/dm/name) to identify the mapping between
30# dm-X and system/vendor partitions.
31allow update_verifier sysfs_dm:dir r_dir_perms;
32allow update_verifier sysfs_dm:file r_file_perms;
33
34# Read all blocks in DM wrapped system partition.
35allow update_verifier dm_device:blk_file r_file_perms;
36
37# Write to kernel message.
38allow update_verifier kmsg_device:chr_file { getattr w_file_perms };
39
40# Use Boot Control HAL
41hal_client_domain(update_verifier, hal_bootctl)
42
43# Access Checkpoint commands over binder
44allow update_verifier vold_service:service_manager find;
45binder_call(update_verifier, servicemanager)
46binder_call(update_verifier, vold)
47