d33155be26
This allow bspatch to have same perssion as update_engine. Also added a rule to allow update_engine to execute bspatch. Bug: 24478450 Test: No more permission deny during delta update. Change-Id: If94bc703b2f3fc32f901f0d7f300934316d4e9a4
28 lines
1.1 KiB
Text
28 lines
1.1 KiB
Text
# Domain for update_engine daemon.
|
|
type update_engine, domain, domain_deprecated;
|
|
type update_engine_exec, exec_type, file_type;
|
|
type update_engine_data_file, file_type, data_file_type;
|
|
|
|
init_daemon_domain(update_engine);
|
|
net_domain(update_engine);
|
|
|
|
# Following permissions are needed for update_engine.
|
|
allow update_engine self:process { setsched };
|
|
allow update_engine self:capability { fowner sys_admin };
|
|
allow update_engine kmsg_device:chr_file w_file_perms;
|
|
allow update_engine update_engine_exec:file rx_file_perms;
|
|
wakelock_use(update_engine);
|
|
|
|
# Allow using persistent storage in /data/misc/update_engine.
|
|
allow update_engine update_engine_data_file:dir { create_dir_perms };
|
|
allow update_engine update_engine_data_file:file { create_file_perms };
|
|
|
|
# Allow update_engine to reach block devices in /dev/block.
|
|
allow update_engine block_device:dir search;
|
|
|
|
# Allow read/write on system and boot partitions.
|
|
allow update_engine boot_block_device:blk_file rw_file_perms;
|
|
allow update_engine system_block_device:blk_file rw_file_perms;
|
|
|
|
# Don't allow kernel module loading, just silence the logs.
|
|
dontaudit update_engine kernel:system module_request;
|