04fb82f232
New types:
1. proc_random
2. sysfs_dt_firmware_android
Labeled:
1. /proc/sys/kernel/random as proc_random.
2. /sys/firmware/devicetree/base/firmware/android/{compatible, fstab,
vbmeta} as sysfs_dt_firmware_android.
Changed access:
1. uncrypt, update_engine, postinstall_dexopt have access to generic proc
and sysfs labels removed.
2. appropriate permissions were added to uncrypt, update_engine,
update_engine_common, postinstall_dexopt.
Bug: 67416435
Bug: 67416336
Test: fake ota go/manual-ab-ota runs without denials
Test: adb sideload runs without denials to new types
Change-Id: Id31310ceb151a18652fcbb58037a0b90c1f6505a
47 lines
1.6 KiB
Text
47 lines
1.6 KiB
Text
# Domain for update_engine daemon.
|
|
type update_engine, domain, update_engine_common;
|
|
type update_engine_exec, exec_type, file_type;
|
|
|
|
net_domain(update_engine);
|
|
|
|
# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid to tag network
|
|
# sockets.
|
|
allow update_engine qtaguid_proc:file rw_file_perms;
|
|
allow update_engine qtaguid_device:chr_file r_file_perms;
|
|
|
|
# Following permissions are needed for update_engine.
|
|
allow update_engine self:process { setsched };
|
|
allow update_engine self:capability { fowner sys_admin };
|
|
allow update_engine kmsg_device:chr_file w_file_perms;
|
|
allow update_engine update_engine_exec:file rx_file_perms;
|
|
wakelock_use(update_engine);
|
|
|
|
# Ignore these denials.
|
|
dontaudit update_engine kernel:process setsched;
|
|
|
|
# Allow using persistent storage in /data/misc/update_engine.
|
|
allow update_engine update_engine_data_file:dir { create_dir_perms };
|
|
allow update_engine update_engine_data_file:file { create_file_perms };
|
|
|
|
# Don't allow kernel module loading, just silence the logs.
|
|
dontaudit update_engine kernel:system module_request;
|
|
|
|
# Register the service to perform Binder IPC.
|
|
binder_use(update_engine)
|
|
add_service(update_engine, update_engine_service)
|
|
|
|
# Allow update_engine to call the callback function provided by priv_app.
|
|
binder_call(update_engine, priv_app)
|
|
|
|
# Read OTA zip file at /data/ota_package/.
|
|
allow update_engine ota_package_file:file r_file_perms;
|
|
allow update_engine ota_package_file:dir r_dir_perms;
|
|
|
|
# Use Boot Control HAL
|
|
hal_client_domain(update_engine, hal_bootctl)
|
|
|
|
# access /proc/misc
|
|
allow update_engine proc_misc:file r_file_perms;
|
|
|
|
# read directories on /system and /vendor
|
|
allow update_engine system_file:dir r_dir_perms;
|