12443b7a51
The service running the boot control HAL needs the permissions provided by the boot_control_hal attribute. update_engine and update_verifier still also need these permissions in order to successfully call the new HAL in pass-through mode, but also need permission to call the new service. Bug: 31864052 Test: Built and confirmed no permission denials. Change-Id: I2a6fdd5cf79b9e461d7cc14bd5b7abd6481ed911 Signed-off-by: Connor O'Brien <connoro@google.com>
18 lines
620 B
Text
18 lines
620 B
Text
# update_verifier
|
|
# update_verifier uses the boot_control_hal.
|
|
type update_verifier, domain, boot_control_hal;
|
|
type update_verifier_exec, exec_type, file_type;
|
|
|
|
# Allow update_verifier to reach block devices in /dev/block.
|
|
allow update_verifier block_device:dir search;
|
|
|
|
# Read care map in /data/ota_package/.
|
|
allow update_verifier ota_package_file:dir r_dir_perms;
|
|
allow update_verifier ota_package_file:file r_file_perms;
|
|
|
|
# Read all blocks in system partition.
|
|
allow update_verifier system_block_device:blk_file r_file_perms;
|
|
|
|
# Use binderized HAL
|
|
hwbinder_use(update_verifier)
|
|
binder_call(update_verifier, hal_boot)
|