75806ef3c5
Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.
Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
<(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
46 lines
1.6 KiB
Text
46 lines
1.6 KiB
Text
typeattribute update_verifier coredomain;
|
|
|
|
init_daemon_domain(update_verifier)
|
|
|
|
# Allow update_verifier to reboot the device.
|
|
set_prop(update_verifier, powerctl_prop)
|
|
|
|
# Allow to set the OTA related properties e.g. ota.warm_reset.
|
|
set_prop(update_verifier, ota_prop)
|
|
|
|
# allow update_verifier to connect to snapuserd daemon
|
|
allow update_verifier snapuserd_socket:sock_file write;
|
|
allow update_verifier snapuserd:unix_stream_socket connectto;
|
|
|
|
# virtual a/b properties
|
|
get_prop(update_verifier, virtual_ab_prop)
|
|
|
|
# Allow update_verifier to reach block devices in /dev/block.
|
|
allow update_verifier block_device:dir search;
|
|
|
|
# Read care map in /data/ota_package/.
|
|
allow update_verifier ota_package_file:dir r_dir_perms;
|
|
allow update_verifier ota_package_file:file r_file_perms;
|
|
|
|
# Read /sys/block to find all the DM directories like (/sys/block/dm-X).
|
|
allow update_verifier sysfs:dir r_dir_perms;
|
|
|
|
# Read /sys/block/dm-X/dm/name (which is a symlink to
|
|
# /sys/devices/virtual/block/dm-X/dm/name) to identify the mapping between
|
|
# dm-X and system/vendor partitions.
|
|
allow update_verifier sysfs_dm:dir r_dir_perms;
|
|
allow update_verifier sysfs_dm:file r_file_perms;
|
|
|
|
# Read all blocks in DM wrapped system partition.
|
|
allow update_verifier dm_device:blk_file r_file_perms;
|
|
|
|
# Write to kernel message.
|
|
allow update_verifier kmsg_device:chr_file { getattr w_file_perms };
|
|
|
|
# Use Boot Control HAL
|
|
hal_client_domain(update_verifier, hal_bootctl)
|
|
|
|
# Access Checkpoint commands over binder
|
|
allow update_verifier vold_service:service_manager find;
|
|
binder_call(update_verifier, servicemanager)
|
|
binder_call(update_verifier, vold)
|