typeattribute update_engine coredomain; init_daemon_domain(update_engine); # Allow to talk to gsid. allow update_engine gsi_service:service_manager find; binder_call(update_engine, gsid) # Allow to start gsid service. set_prop(update_engine, ctl_gsid_prop) # Allow to start snapuserd for dm-user communication. set_prop(update_engine, ctl_snapuserd_prop) # Allow to set the OTA related properties, e.g. ota.warm_reset. set_prop(update_engine, ota_prop) get_prop(update_engine, ota_build_prop) # Allow to get the DSU status get_prop(update_engine, gsid_prop) # Allow update_engine to call the callback function provided by GKI update hook. binder_call(update_engine, gki_apex_prepostinstall) # Allow update_engine to call the callback function by settings app # for the kernel update triggered using 16k developer option binder_call(update_engine, system_app) # Allow to communicate with the snapuserd service, for dm-user snapshots. allow update_engine snapuserd:unix_stream_socket connectto; allow update_engine snapuserd_socket:sock_file write; get_prop(update_engine, snapuserd_prop) # Allow to communicate with apexd for calculating and reserving space for # capex decompression allow update_engine apex_service:service_manager find; binder_call(update_engine, apexd) # let this domain use the hal service binder_use(update_engine) hal_client_domain(update_engine, hal_bootctl) net_domain(update_engine); # Following permissions are needed for update_engine. allow update_engine self:process { setsched }; allow update_engine self:global_capability_class_set { fowner sys_admin }; # Note: fsetid checks are triggered when creating a file in a directory with # the setgid bit set to determine if the file should inherit setgid. In this # case, setgid on the file is undesirable so we should just suppress the # denial. dontaudit update_engine self:global_capability_class_set fsetid; allow update_engine kmsg_device:chr_file { getattr w_file_perms }; allow update_engine update_engine_exec:file rx_file_perms; wakelock_use(update_engine); # Ignore these denials. dontaudit update_engine kernel:process setsched; dontaudit update_engine self:global_capability_class_set sys_rawio; # Allow using persistent storage in /data/misc/update_engine. allow update_engine update_engine_data_file:dir create_dir_perms; allow update_engine update_engine_data_file:file create_file_perms; # Allow using persistent storage in /data/misc/update_engine_log. allow update_engine update_engine_log_data_file:dir create_dir_perms; allow update_engine update_engine_log_data_file:file create_file_perms; # Register the service to perform Binder IPC. binder_use(update_engine) add_service(update_engine, update_engine_service) add_service(update_engine, update_engine_stable_service) # Allow update_engine to call the callback function provided by priv_app/GMS core. binder_call(update_engine, priv_app) # b/142672293: No other priv-app should need this rule now that GMS core runs in its own domain. userdebug_or_eng(` auditallow update_engine priv_app:binder { call transfer }; auditallow priv_app update_engine:binder transfer; auditallow update_engine priv_app:fd use; ') binder_call(update_engine, gmscore_app) # Allow update_engine to call the callback function provided by system_server. binder_call(update_engine, system_server) # Read OTA zip file at /data/ota_package/. allow update_engine ota_package_file:file r_file_perms; allow update_engine ota_package_file:dir r_dir_perms; # Use Boot Control HAL hal_client_domain(update_engine, hal_bootctl) # access /proc/misc allow update_engine proc_misc:file r_file_perms; # read directories on /system and /vendor allow update_engine system_file:dir r_dir_perms; # Allow ReadDefaultFstab(). # update_engine tries to determine the parent path for all devices (e.g. # /dev/block/by-name) by reading the default fstab and looking for the misc # device. read_fstab(update_engine) # Allow to write to snapshotctl_log logs. # TODO(b/148818798) revert when parent bug is fixed. userdebug_or_eng(` allow update_engine snapshotctl_log_data_file:dir rw_dir_perms; allow update_engine snapshotctl_log_data_file:file create_file_perms; ') # Allow determining filesystems available on system. # Needed for checking if overlayfs is enabled allow update_engine proc_filesystems:file r_file_perms; allow update_engine vendor_boot_ota_file:dir { r_dir_perms }; allow update_engine vendor_boot_ota_file:file { r_file_perms };