platform_system_sepolicy/public/update_engine.te
Yifan Hong 42351f9aab Add update_engine_stable_service
This is the stable AIDL binder interface that update_engine exposes in
addition to update_engine_service.

Test: run update_engine
Bug: 160996544

Change-Id: I28ba11810844373d48c8c203f79e98150f932942
2020-07-31 15:49:10 -07:00

79 lines
3.1 KiB
Text

# Domain for update_engine daemon.
type update_engine, domain, update_engine_common;
type update_engine_exec, system_file_type, exec_type, file_type;
net_domain(update_engine);
# Following permissions are needed for update_engine.
allow update_engine self:process { setsched };
allow update_engine self:global_capability_class_set { fowner sys_admin };
# Note: fsetid checks are triggered when creating a file in a directory with
# the setgid bit set to determine if the file should inherit setgid. In this
# case, setgid on the file is undesirable so we should just suppress the
# denial.
dontaudit update_engine self:global_capability_class_set fsetid;
allow update_engine kmsg_device:chr_file { getattr w_file_perms };
allow update_engine update_engine_exec:file rx_file_perms;
wakelock_use(update_engine);
# Ignore these denials.
dontaudit update_engine kernel:process setsched;
dontaudit update_engine self:global_capability_class_set sys_rawio;
# Allow using persistent storage in /data/misc/update_engine.
allow update_engine update_engine_data_file:dir create_dir_perms;
allow update_engine update_engine_data_file:file create_file_perms;
# Allow using persistent storage in /data/misc/update_engine_log.
allow update_engine update_engine_log_data_file:dir create_dir_perms;
allow update_engine update_engine_log_data_file:file create_file_perms;
# Don't allow kernel module loading, just silence the logs.
dontaudit update_engine kernel:system module_request;
# Register the service to perform Binder IPC.
binder_use(update_engine)
add_service(update_engine, update_engine_service)
add_service(update_engine, update_engine_stable_service)
# Allow update_engine to call the callback function provided by priv_app/GMS core.
binder_call(update_engine, priv_app)
# b/142672293: No other priv-app should need this rule now that GMS core runs in its own domain.
userdebug_or_eng(`
auditallow update_engine priv_app:binder { call transfer };
auditallow priv_app update_engine:binder transfer;
auditallow update_engine priv_app:fd use;
')
binder_call(update_engine, gmscore_app)
# Allow update_engine to call the callback function provided by system_server.
binder_call(update_engine, system_server)
# Read OTA zip file at /data/ota_package/.
allow update_engine ota_package_file:file r_file_perms;
allow update_engine ota_package_file:dir r_dir_perms;
# Use Boot Control HAL
hal_client_domain(update_engine, hal_bootctl)
# access /proc/misc
allow update_engine proc_misc:file r_file_perms;
# read directories on /system and /vendor
allow update_engine system_file:dir r_dir_perms;
# update_engine tries to determine the parent path for all devices (e.g.
# /dev/block/by-name) by reading the default fstab and looking for the misc
# device. ReadDefaultFstab() checks whether a GSI is running by checking
# gsi_metadata_file. We never apply OTAs when GSI is running, so just deny
# the access.
dontaudit update_engine gsi_metadata_file:dir search;
# Allow to write to snapshotctl_log logs.
# TODO(b/148818798) revert when parent bug is fixed.
userdebug_or_eng(`
allow update_engine snapshotctl_log_data_file:dir rw_dir_perms;
allow update_engine snapshotctl_log_data_file:file create_file_perms;
')