75806ef3c5
Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.
Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
<(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
53 lines
1.8 KiB
Text
53 lines
1.8 KiB
Text
typeattribute postinstall coredomain;
|
|
type postinstall_exec, system_file_type, exec_type, file_type;
|
|
domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
|
|
|
|
allow postinstall rootfs:dir r_dir_perms;
|
|
|
|
# Allow invoking `pm` shell commands.
|
|
allow postinstall package_service:service_manager find;
|
|
|
|
# Allow postinstall to write to its stdout/stderr when redirected via pipes to
|
|
# update_engine.
|
|
allow postinstall update_engine_common:fd use;
|
|
allow postinstall update_engine_common:fifo_file rw_file_perms;
|
|
|
|
# Allow postinstall to read and execute directories and files in the same
|
|
# mounted location.
|
|
allow postinstall postinstall_file:file rx_file_perms;
|
|
allow postinstall postinstall_file:lnk_file r_file_perms;
|
|
allow postinstall postinstall_file:dir r_dir_perms;
|
|
|
|
# Allow postinstall to execute the shell or other system executables.
|
|
allow postinstall shell_exec:file rx_file_perms;
|
|
allow postinstall system_file:file rx_file_perms;
|
|
allow postinstall toolbox_exec:file rx_file_perms;
|
|
|
|
# Allow postinstall to execute shell in recovery.
|
|
recovery_only(`
|
|
allow postinstall rootfs:file rx_file_perms;
|
|
')
|
|
|
|
#
|
|
# For OTA dexopt.
|
|
#
|
|
|
|
# Allow postinstall scripts to talk to the system server.
|
|
binder_use(postinstall)
|
|
binder_call(postinstall, system_server)
|
|
|
|
# Need to talk to the otadexopt service.
|
|
allow postinstall otadexopt_service:service_manager find;
|
|
|
|
# Allow postinstall scripts to trigger f2fs garbage collection
|
|
allow postinstall sysfs_fs_f2fs:file rw_file_perms;
|
|
allow postinstall sysfs_fs_f2fs:dir r_dir_perms;
|
|
|
|
###
|
|
### Neverallow rules
|
|
###
|
|
|
|
# No domain other than update_engine and recovery (via update_engine_sideload)
|
|
# should transition to postinstall, as it is only meant to run during the
|
|
# update.
|
|
neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition };
|