blob: 775bb1eda46cd859c785473ce071d06399848dfe [file] [log] [blame]
# update_engine payload application permissions. These are shared between the
# background daemon and the recovery tool to sideload an update.
# Allow update_engine to reach block devices in /dev/block.
allow update_engine_common block_device:dir search;
# Allow read/write on system and boot partitions.
allow update_engine_common boot_block_device:blk_file rw_file_perms;
allow update_engine_common system_block_device:blk_file rw_file_perms;
# Allow to set recovery options in the BCB. Used to trigger factory reset when
# the update to an older version (channel change) or incompatible version
# requires it.
allow update_engine_common misc_block_device:blk_file rw_file_perms;
# read fstab
allow update_engine_common rootfs:dir getattr;
allow update_engine_common rootfs:file r_file_perms;
# Allow update_engine_common to mount on the /postinstall directory and reset the
# labels on the mounted filesystem to postinstall_file.
allow update_engine_common postinstall_mnt_dir:dir mounton;
allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
allow update_engine_common labeledfs:filesystem relabelfrom;
# Allow update_engine_common to read and execute postinstall_file.
allow update_engine_common postinstall_file:file rx_file_perms;
allow update_engine_common postinstall_file:lnk_file r_file_perms;
allow update_engine_common postinstall_file:dir r_dir_perms;
# install update.zip from cache
r_dir_file(update_engine_common, cache_file)
# A postinstall program is typically a shell script (with a #!), so we allow
# to execute those.
allow update_engine_common shell_exec:file rx_file_perms;
# Allow update_engine_common to suspend, resume and kill the postinstall program.
allow update_engine_common postinstall:process { signal sigstop sigkill };
# access /proc/misc
# Access is also granted to proc:file, but it is likely unneeded
# due to the more specific grant to proc_misc immediately below.
allow update_engine proc:file r_file_perms; # delete candidate
allow update_engine proc_misc:file r_file_perms;
# read directories on /system and /vendor
allow update_engine system_file:dir r_dir_perms;