typeattribute postinstall coredomain;
type postinstall_exec, system_file_type, exec_type, file_type;
domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)

allow postinstall rootfs:dir r_dir_perms;

# Allow invoking `pm` shell commands.
allow postinstall package_service:service_manager find;

# Allow postinstall to write to its stdout/stderr when redirected via pipes to
# update_engine.
allow postinstall update_engine_common:fd use;
allow postinstall update_engine_common:fifo_file rw_file_perms;

# Allow postinstall to read and execute directories and files in the same
# mounted location.
allow postinstall postinstall_file:file rx_file_perms;
allow postinstall postinstall_file:lnk_file r_file_perms;
allow postinstall postinstall_file:dir r_dir_perms;

# Allow postinstall to execute the shell or other system executables.
allow postinstall shell_exec:file rx_file_perms;
allow postinstall system_file:file rx_file_perms;
allow postinstall toolbox_exec:file rx_file_perms;

# Allow postinstall to execute shell in recovery.
recovery_only(`
  allow postinstall rootfs:file rx_file_perms;
')

#
# For OTA dexopt.
#

# Allow postinstall scripts to talk to the system server.
binder_use(postinstall)
binder_call(postinstall, system_server)

# Need to talk to the otadexopt service.
allow postinstall otadexopt_service:service_manager find;

# Allow postinstall scripts to trigger f2fs garbage collection
allow postinstall sysfs_fs_f2fs:file rw_file_perms;
allow postinstall sysfs_fs_f2fs:dir r_dir_perms;

###
### Neverallow rules
###

# No domain other than update_engine and recovery (via update_engine_sideload)
# should transition to postinstall, as it is only meant to run during the
# update.
neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition };