| # Domain where the postinstall program runs during the update. |
| # Extend the permissions in this domain to allow this program to access other |
| # files needed by the specific device on your device's sepolicy directory. |
| type postinstall, domain; |
| |
| # Allow postinstall to write to its stdout/stderr when redirected via pipes to |
| # update_engine. |
| allow postinstall update_engine_common:fd use; |
| allow postinstall update_engine_common:fifo_file rw_file_perms; |
| |
| # Allow postinstall to read and execute directories and files in the same |
| # mounted location. |
| allow postinstall postinstall_file:file rx_file_perms; |
| allow postinstall postinstall_file:lnk_file r_file_perms; |
| allow postinstall postinstall_file:dir r_dir_perms; |
| |
| # Allow postinstall to execute the shell or other system executables. |
| allow postinstall shell_exec:file rx_file_perms; |
| allow postinstall system_file:file rx_file_perms; |
| allow postinstall toolbox_exec:file rx_file_perms; |
| |
| # |
| # For OTA dexopt. |
| # |
| |
| # Allow postinstall scripts to talk to the system server. |
| binder_use(postinstall) |
| binder_call(postinstall, system_server) |
| |
| # Need to talk to the otadexopt service. |
| allow postinstall otadexopt_service:service_manager find; |
| |
| domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot) |
| |
| # No domain other than update_engine and recovery (via update_engine_sideload) |
| # should transition to postinstall, as it is only meant to run during the |
| # update. |
| neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition }; |