75806ef3c5
Ideally, public should only contain APIs (types / attributes) for vendor. The other statements like allow/neverallow/typeattributes are regarded as implementation detail for platform and should be in private. Bug: 232023812 Test: m selinux_policy Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \ <(git diff --staged | grep "^+" | cut -b2- | sort) Test: remove comments on plat_sepolicy.cil, replace base_typeattr_* to base_typeattr and then compare old and new plat_sepolicy.cil Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
117 lines
4.3 KiB
Text
117 lines
4.3 KiB
Text
typeattribute update_engine coredomain;
|
|
|
|
init_daemon_domain(update_engine);
|
|
|
|
# Allow to talk to gsid.
|
|
allow update_engine gsi_service:service_manager find;
|
|
binder_call(update_engine, gsid)
|
|
|
|
# Allow to start gsid service.
|
|
set_prop(update_engine, ctl_gsid_prop)
|
|
|
|
# Allow to start snapuserd for dm-user communication.
|
|
set_prop(update_engine, ctl_snapuserd_prop)
|
|
|
|
# Allow to set the OTA related properties, e.g. ota.warm_reset.
|
|
set_prop(update_engine, ota_prop)
|
|
get_prop(update_engine, ota_build_prop)
|
|
|
|
# Allow to get the DSU status
|
|
get_prop(update_engine, gsid_prop)
|
|
|
|
# Allow update_engine to call the callback function provided by GKI update hook.
|
|
binder_call(update_engine, gki_apex_prepostinstall)
|
|
|
|
# Allow update_engine to call the callback function by settings app
|
|
# for the kernel update triggered using 16k developer option
|
|
binder_call(update_engine, system_app)
|
|
|
|
# Allow to communicate with the snapuserd service, for dm-user snapshots.
|
|
allow update_engine snapuserd:unix_stream_socket connectto;
|
|
allow update_engine snapuserd_socket:sock_file write;
|
|
get_prop(update_engine, snapuserd_prop)
|
|
|
|
# Allow to communicate with apexd for calculating and reserving space for
|
|
# capex decompression
|
|
allow update_engine apex_service:service_manager find;
|
|
binder_call(update_engine, apexd)
|
|
|
|
# let this domain use the hal service
|
|
binder_use(update_engine)
|
|
hal_client_domain(update_engine, hal_bootctl)
|
|
|
|
net_domain(update_engine);
|
|
|
|
# Following permissions are needed for update_engine.
|
|
allow update_engine self:process { setsched };
|
|
allow update_engine self:global_capability_class_set { fowner sys_admin };
|
|
# Note: fsetid checks are triggered when creating a file in a directory with
|
|
# the setgid bit set to determine if the file should inherit setgid. In this
|
|
# case, setgid on the file is undesirable so we should just suppress the
|
|
# denial.
|
|
dontaudit update_engine self:global_capability_class_set fsetid;
|
|
|
|
allow update_engine kmsg_device:chr_file { getattr w_file_perms };
|
|
allow update_engine update_engine_exec:file rx_file_perms;
|
|
wakelock_use(update_engine);
|
|
|
|
# Ignore these denials.
|
|
dontaudit update_engine kernel:process setsched;
|
|
dontaudit update_engine self:global_capability_class_set sys_rawio;
|
|
|
|
# Allow using persistent storage in /data/misc/update_engine.
|
|
allow update_engine update_engine_data_file:dir create_dir_perms;
|
|
allow update_engine update_engine_data_file:file create_file_perms;
|
|
|
|
# Allow using persistent storage in /data/misc/update_engine_log.
|
|
allow update_engine update_engine_log_data_file:dir create_dir_perms;
|
|
allow update_engine update_engine_log_data_file:file create_file_perms;
|
|
|
|
# Register the service to perform Binder IPC.
|
|
binder_use(update_engine)
|
|
add_service(update_engine, update_engine_service)
|
|
add_service(update_engine, update_engine_stable_service)
|
|
|
|
# Allow update_engine to call the callback function provided by priv_app/GMS core.
|
|
binder_call(update_engine, priv_app)
|
|
# b/142672293: No other priv-app should need this rule now that GMS core runs in its own domain.
|
|
userdebug_or_eng(`
|
|
auditallow update_engine priv_app:binder { call transfer };
|
|
auditallow priv_app update_engine:binder transfer;
|
|
auditallow update_engine priv_app:fd use;
|
|
')
|
|
|
|
binder_call(update_engine, gmscore_app)
|
|
|
|
# Allow update_engine to call the callback function provided by system_server.
|
|
binder_call(update_engine, system_server)
|
|
|
|
# Read OTA zip file at /data/ota_package/.
|
|
allow update_engine ota_package_file:file r_file_perms;
|
|
allow update_engine ota_package_file:dir r_dir_perms;
|
|
|
|
# Use Boot Control HAL
|
|
hal_client_domain(update_engine, hal_bootctl)
|
|
|
|
# access /proc/misc
|
|
allow update_engine proc_misc:file r_file_perms;
|
|
|
|
# read directories on /system and /vendor
|
|
allow update_engine system_file:dir r_dir_perms;
|
|
|
|
# Allow ReadDefaultFstab().
|
|
# update_engine tries to determine the parent path for all devices (e.g.
|
|
# /dev/block/by-name) by reading the default fstab and looking for the misc
|
|
# device.
|
|
read_fstab(update_engine)
|
|
|
|
# Allow to write to snapshotctl_log logs.
|
|
# TODO(b/148818798) revert when parent bug is fixed.
|
|
userdebug_or_eng(`
|
|
allow update_engine snapshotctl_log_data_file:dir rw_dir_perms;
|
|
allow update_engine snapshotctl_log_data_file:file create_file_perms;
|
|
')
|
|
|
|
# Allow determining filesystems available on system.
|
|
# Needed for checking if overlayfs is enabled
|
|
allow update_engine proc_filesystems:file r_file_perms;
|