2015-10-05 23:04:39 +02:00
|
|
|
# Domain for update_engine daemon.
|
2016-04-22 22:23:36 +02:00
|
|
|
# update_engine uses the boot_control_hal.
|
2016-08-04 05:31:37 +02:00
|
|
|
type update_engine, domain, domain_deprecated, update_engine_common, boot_control_hal;
|
2015-10-05 23:04:39 +02:00
|
|
|
type update_engine_exec, exec_type, file_type;
|
|
|
|
type update_engine_data_file, file_type, data_file_type;
|
|
|
|
|
|
|
|
init_daemon_domain(update_engine);
|
|
|
|
net_domain(update_engine);
|
|
|
|
|
|
|
|
# Following permissions are needed for update_engine.
|
|
|
|
allow update_engine self:process { setsched };
|
|
|
|
allow update_engine self:capability { fowner sys_admin };
|
|
|
|
allow update_engine kmsg_device:chr_file w_file_perms;
|
2015-11-21 01:09:14 +01:00
|
|
|
allow update_engine update_engine_exec:file rx_file_perms;
|
2015-10-05 23:04:39 +02:00
|
|
|
wakelock_use(update_engine);
|
|
|
|
|
2016-03-02 01:14:45 +01:00
|
|
|
# Ignore these denials.
|
|
|
|
dontaudit update_engine kernel:process setsched;
|
|
|
|
|
2015-10-05 23:04:39 +02:00
|
|
|
# Allow using persistent storage in /data/misc/update_engine.
|
|
|
|
allow update_engine update_engine_data_file:dir { create_dir_perms };
|
|
|
|
allow update_engine update_engine_data_file:file { create_file_perms };
|
|
|
|
|
|
|
|
# Don't allow kernel module loading, just silence the logs.
|
|
|
|
dontaudit update_engine kernel:system module_request;
|
2016-01-26 01:41:03 +01:00
|
|
|
|
|
|
|
# Register the service to perform Binder IPC.
|
|
|
|
binder_use(update_engine)
|
|
|
|
allow update_engine update_engine_service:service_manager { add };
|
|
|
|
|
|
|
|
# Allow update_engine to call the callback function provided by priv_app.
|
|
|
|
binder_call(update_engine, priv_app)
|