platform_system_sepolicy/public/update_engine.te
William Roberts 606d2fd665 te_macros: introduce add_service() macro
Introduce the add_service() macro which wraps up add/find
permissions for the source domain with a neverallow preventing
others from adding it. Only a particular domain should
add a particular service.

Use the add_service() macro to automatically add a neverallow
that prevents other domains from adding the service.

mediadrmserver was adding services labeled mediaserver_service.
Drop the add permission as it should just need the find
permission.

Additionally, the macro adds the { add find } permission which
causes some existing neverallow's to assert. Adjust those
neverallow's so "self" can always find.

Test: compile and run on hikey and emulator. No new denials were
found, and all services, where applicable, seem to be running OK.

Change-Id: Ibbd2a5304edd5f8b877bc86852b0694732be993c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2017-01-26 04:43:16 +00:00

39 lines
1.4 KiB
Text

# Domain for update_engine daemon.
# update_engine uses the boot_control_hal.
type update_engine, domain, domain_deprecated, update_engine_common, boot_control_hal;
type update_engine_exec, exec_type, file_type;
type update_engine_data_file, file_type, data_file_type;
net_domain(update_engine);
# Following permissions are needed for update_engine.
allow update_engine self:process { setsched };
allow update_engine self:capability { fowner sys_admin };
allow update_engine kmsg_device:chr_file w_file_perms;
allow update_engine update_engine_exec:file rx_file_perms;
wakelock_use(update_engine);
# Ignore these denials.
dontaudit update_engine kernel:process setsched;
# Allow using persistent storage in /data/misc/update_engine.
allow update_engine update_engine_data_file:dir { create_dir_perms };
allow update_engine update_engine_data_file:file { create_file_perms };
# Don't allow kernel module loading, just silence the logs.
dontaudit update_engine kernel:system module_request;
# Register the service to perform Binder IPC.
binder_use(update_engine)
add_service(update_engine, update_engine_service)
# Allow update_engine to call the callback function provided by priv_app.
binder_call(update_engine, priv_app)
# Read OTA zip file at /data/ota_package/.
allow update_engine ota_package_file:file r_file_perms;
allow update_engine ota_package_file:dir r_dir_perms;
# Use binderized HAL
hwbinder_use(update_engine)
binder_call(update_engine, hal_boot)