platform_system_sepolicy/public/update_engine.te

# Domain for update_engine daemon.
# update_engine uses the boot_control_hal.
type update_engine, domain, domain_deprecated, update_engine_common, boot_control_hal;
type update_engine_exec, exec_type, file_type;
type update_engine_data_file, file_type, data_file_type;

net_domain(update_engine);

# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid to tag network
# sockets.
allow update_engine qtaguid_proc:file rw_file_perms;
allow update_engine qtaguid_device:chr_file r_file_perms;

# Following permissions are needed for update_engine.
allow update_engine self:process { setsched };
allow update_engine self:capability { fowner sys_admin };
allow update_engine kmsg_device:chr_file w_file_perms;
allow update_engine update_engine_exec:file rx_file_perms;
wakelock_use(update_engine);

# Ignore these denials.
dontaudit update_engine kernel:process setsched;

# Allow using persistent storage in /data/misc/update_engine.
allow update_engine update_engine_data_file:dir { create_dir_perms };
allow update_engine update_engine_data_file:file { create_file_perms };

# Don't allow kernel module loading, just silence the logs.
dontaudit update_engine kernel:system module_request;

# Register the service to perform Binder IPC.
binder_use(update_engine)
add_service(update_engine, update_engine_service)

# Allow update_engine to call the callback function provided by priv_app.
binder_call(update_engine, priv_app)

# Read OTA zip file at /data/ota_package/.
allow update_engine ota_package_file:file r_file_perms;
allow update_engine ota_package_file:dir r_dir_perms;

# Use binderized HAL
hwbinder_use(update_engine)
binder_call(update_engine, hal_boot)