1# Domain for update_engine daemon.
2type update_engine, domain, update_engine_common;
3type update_engine_exec, system_file_type, exec_type, file_type;
4
5net_domain(update_engine);
6
7# Following permissions are needed for update_engine.
8allow update_engine self:process { setsched };
9allow update_engine self:global_capability_class_set { fowner sys_admin };
10# Note: fsetid checks are triggered when creating a file in a directory with
11# the setgid bit set to determine if the file should inherit setgid. In this
12# case, setgid on the file is undesirable so we should just suppress the
13# denial.
14dontaudit update_engine self:global_capability_class_set fsetid;
15
16allow update_engine kmsg_device:chr_file { getattr w_file_perms };
17allow update_engine update_engine_exec:file rx_file_perms;
18wakelock_use(update_engine);
19
20# Ignore these denials.
21dontaudit update_engine kernel:process setsched;
22dontaudit update_engine self:global_capability_class_set sys_rawio;
23
24# Allow using persistent storage in /data/misc/update_engine.
25allow update_engine update_engine_data_file:dir create_dir_perms;
26allow update_engine update_engine_data_file:file create_file_perms;
27
28# Allow using persistent storage in /data/misc/update_engine_log.
29allow update_engine update_engine_log_data_file:dir create_dir_perms;
30allow update_engine update_engine_log_data_file:file create_file_perms;
31
32# Don't allow kernel module loading, just silence the logs.
33dontaudit update_engine kernel:system module_request;
34
35# Register the service to perform Binder IPC.
36binder_use(update_engine)
37add_service(update_engine, update_engine_service)
38
39# Allow update_engine to call the callback function provided by priv_app/GMS core.
40binder_call(update_engine, priv_app)
41# b/142672293: No other priv-app should need this rule now that GMS core runs in its own domain.
42userdebug_or_eng(`
43  auditallow update_engine priv_app:binder { call transfer };
44  auditallow priv_app update_engine:binder transfer;
45  auditallow update_engine priv_app:fd use;
46')
47
48binder_call(update_engine, gmscore_app)
49
50# Allow update_engine to call the callback function provided by system_server.
51binder_call(update_engine, system_server)
52
53# Read OTA zip file at /data/ota_package/.
54allow update_engine ota_package_file:file r_file_perms;
55allow update_engine ota_package_file:dir r_dir_perms;
56
57# Use Boot Control HAL
58hal_client_domain(update_engine, hal_bootctl)
59
60# access /proc/misc
61allow update_engine proc_misc:file r_file_perms;
62
63# read directories on /system and /vendor
64allow update_engine system_file:dir r_dir_perms;
65
66# Allow to start gsid service.
67set_prop(update_engine, ctl_gsid_prop)
68
69# Allow to set the OTA related properties, e.g. ota.warm_reset.
70set_prop(update_engine, ota_prop)
71
72# Allow to get the DSU status
73get_prop(update_engine, gsid_prop)
74
75# update_engine tries to determine the parent path for all devices (e.g.
76# /dev/block/by-name) by reading the default fstab and looking for the misc
77# device. ReadDefaultFstab() checks whether a GSI is running by checking
78# gsi_metadata_file. We never apply OTAs when GSI is running, so just deny
79# the access.
80dontaudit update_engine gsi_metadata_file:dir search;
81
82# Allow to write to snapshotctl_log logs.
83# TODO(b/148818798) revert when parent bug is fixed.
84userdebug_or_eng(`
85allow update_engine snapshotctl_log_data_file:dir rw_dir_perms;
86allow update_engine snapshotctl_log_data_file:file create_file_perms;
87')
88