a12aad45b6
Grant audited permissions collected in logs.
tcontext=platform_app
avc: granted { getattr } for comm=496E666C6174657254687265616420
path="/" dev="dm-0" ino=2 scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:rootfs:s0 tclass=dir
tcontext=system_app
avc: granted { getattr } for comm="android:ui" path="/" dev="dm-0"
scontext=u:r:system_app:s0 tcontext=u:object_r:rootfs:s0 tclass=dir
avc: granted { getattr } for comm="android:ui" path="/" dev="dm-0"
scontext=u:r:system_app:s0 tcontext=u:object_r:rootfs:s0 tclass=dir
tcontext=update_engine
avc: granted { getattr } for comm="update_engine" path="/" dev="dm-0"
ino=2 scontext=u:r:update_engine:s0 tcontext=u:object_r:rootfs:s0
tclass=dir
avc: granted { getattr } for comm="update_engine" path="/fstab.foo"
dev="dm-0" ino=25 scontext=u:r:update_engine:s0
tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read open } for comm="update_engine" path="/fstab.foo"
dev="dm-0" ino=25 scontext=u:r:update_engine:s0
tcontext=u:object_r:rootfs:s0 tclass=file
Bug: 28760354
Test: build
Change-Id: I6135eea1d10b903a4a7e69da468097f495484665
48 lines
2.1 KiB
Text
48 lines
2.1 KiB
Text
# update_engine payload application permissions. These are shared between the
|
|
# background daemon and the recovery tool to sideload an update.
|
|
|
|
# Allow update_engine to reach block devices in /dev/block.
|
|
allow update_engine_common block_device:dir search;
|
|
|
|
# Allow read/write on system and boot partitions.
|
|
allow update_engine_common boot_block_device:blk_file rw_file_perms;
|
|
allow update_engine_common system_block_device:blk_file rw_file_perms;
|
|
|
|
# Allow to set recovery options in the BCB. Used to trigger factory reset when
|
|
# the update to an older version (channel change) or incompatible version
|
|
# requires it.
|
|
allow update_engine_common misc_block_device:blk_file rw_file_perms;
|
|
|
|
# read fstab
|
|
allow update_engine_common rootfs:dir getattr;
|
|
allow update_engine_common rootfs:file r_file_perms;
|
|
|
|
# Allow update_engine_common to mount on the /postinstall directory and reset the
|
|
# labels on the mounted filesystem to postinstall_file.
|
|
allow update_engine_common postinstall_mnt_dir:dir mounton;
|
|
allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
|
|
allow update_engine_common labeledfs:filesystem relabelfrom;
|
|
|
|
# Allow update_engine_common to read and execute postinstall_file.
|
|
allow update_engine_common postinstall_file:file rx_file_perms;
|
|
allow update_engine_common postinstall_file:lnk_file r_file_perms;
|
|
allow update_engine_common postinstall_file:dir r_dir_perms;
|
|
|
|
# install update.zip from cache
|
|
r_dir_file(update_engine_common, cache_file)
|
|
|
|
# A postinstall program is typically a shell script (with a #!), so we allow
|
|
# to execute those.
|
|
allow update_engine_common shell_exec:file rx_file_perms;
|
|
|
|
# Allow update_engine_common to suspend, resume and kill the postinstall program.
|
|
allow update_engine_common postinstall:process { signal sigstop sigkill };
|
|
|
|
# access /proc/misc
|
|
# Access is also granted to proc:file, but it is likely unneeded
|
|
# due to the more specific grant to proc_misc immediately below.
|
|
allow update_engine proc:file r_file_perms; # delete candidate
|
|
allow update_engine proc_misc:file r_file_perms;
|
|
|
|
# read directories on /system and /vendor
|
|
allow update_engine system_file:dir r_dir_perms;
|