1# Domain for update_engine daemon. 2type update_engine, domain, update_engine_common; 3type update_engine_exec, system_file_type, exec_type, file_type; 4 5net_domain(update_engine); 6 7# Following permissions are needed for update_engine. 8allow update_engine self:process { setsched }; 9allow update_engine self:global_capability_class_set { fowner sys_admin }; 10# Note: fsetid checks are triggered when creating a file in a directory with 11# the setgid bit set to determine if the file should inherit setgid. In this 12# case, setgid on the file is undesirable so we should just suppress the 13# denial. 14dontaudit update_engine self:global_capability_class_set fsetid; 15 16allow update_engine kmsg_device:chr_file { getattr w_file_perms }; 17allow update_engine update_engine_exec:file rx_file_perms; 18wakelock_use(update_engine); 19 20# Ignore these denials. 21dontaudit update_engine kernel:process setsched; 22dontaudit update_engine self:global_capability_class_set sys_rawio; 23 24# Allow using persistent storage in /data/misc/update_engine. 25allow update_engine update_engine_data_file:dir create_dir_perms; 26allow update_engine update_engine_data_file:file create_file_perms; 27 28# Allow using persistent storage in /data/misc/update_engine_log. 29allow update_engine update_engine_log_data_file:dir create_dir_perms; 30allow update_engine update_engine_log_data_file:file create_file_perms; 31 32# Don't allow kernel module loading, just silence the logs. 33dontaudit update_engine kernel:system module_request; 34 35# Register the service to perform Binder IPC. 36binder_use(update_engine) 37add_service(update_engine, update_engine_service) 38 39# Allow update_engine to call the callback function provided by priv_app. 40binder_call(update_engine, priv_app) 41 42# Allow update_engine to call the callback function provided by system_server. 43binder_call(update_engine, system_server) 44 45# Read OTA zip file at /data/ota_package/. 46allow update_engine ota_package_file:file r_file_perms; 47allow update_engine ota_package_file:dir r_dir_perms; 48 49# Use Boot Control HAL 50hal_client_domain(update_engine, hal_bootctl) 51 52# access /proc/misc 53allow update_engine proc_misc:file r_file_perms; 54 55# read directories on /system and /vendor 56allow update_engine system_file:dir r_dir_perms; 57