| # Domain for update_engine daemon. |
| type update_engine, domain, update_engine_common; |
| type update_engine_exec, system_file_type, exec_type, file_type; |
| |
| net_domain(update_engine); |
| |
| # Following permissions are needed for update_engine. |
| allow update_engine self:process { setsched }; |
| allow update_engine self:global_capability_class_set { fowner sys_admin }; |
| # Note: fsetid checks are triggered when creating a file in a directory with |
| # the setgid bit set to determine if the file should inherit setgid. In this |
| # case, setgid on the file is undesirable so we should just suppress the |
| # denial. |
| dontaudit update_engine self:global_capability_class_set fsetid; |
| |
| allow update_engine kmsg_device:chr_file { getattr w_file_perms }; |
| allow update_engine update_engine_exec:file rx_file_perms; |
| wakelock_use(update_engine); |
| |
| # Ignore these denials. |
| dontaudit update_engine kernel:process setsched; |
| dontaudit update_engine self:global_capability_class_set sys_rawio; |
| |
| # Allow using persistent storage in /data/misc/update_engine. |
| allow update_engine update_engine_data_file:dir create_dir_perms; |
| allow update_engine update_engine_data_file:file create_file_perms; |
| |
| # Allow using persistent storage in /data/misc/update_engine_log. |
| allow update_engine update_engine_log_data_file:dir create_dir_perms; |
| allow update_engine update_engine_log_data_file:file create_file_perms; |
| |
| # Don't allow kernel module loading, just silence the logs. |
| dontaudit update_engine kernel:system module_request; |
| |
| # Register the service to perform Binder IPC. |
| binder_use(update_engine) |
| add_service(update_engine, update_engine_service) |
| |
| # Allow update_engine to call the callback function provided by priv_app/GMS core. |
| binder_call(update_engine, priv_app) |
| # b/142672293: No other priv-app should need this rule now that GMS core runs in its own domain. |
| userdebug_or_eng(` |
| auditallow update_engine priv_app:binder { call transfer }; |
| auditallow priv_app update_engine:binder transfer; |
| auditallow update_engine priv_app:fd use; |
| ') |
| |
| binder_call(update_engine, gmscore_app) |
| |
| # Allow update_engine to call the callback function provided by system_server. |
| binder_call(update_engine, system_server) |
| |
| # Read OTA zip file at /data/ota_package/. |
| allow update_engine ota_package_file:file r_file_perms; |
| allow update_engine ota_package_file:dir r_dir_perms; |
| |
| # Use Boot Control HAL |
| hal_client_domain(update_engine, hal_bootctl) |
| |
| # access /proc/misc |
| allow update_engine proc_misc:file r_file_perms; |
| |
| # read directories on /system and /vendor |
| allow update_engine system_file:dir r_dir_perms; |
| |
| # Allow to start gsid service. |
| set_prop(update_engine, ctl_gsid_prop) |
| |
| # Allow to set the OTA related properties, e.g. ota.warm_reset. |
| set_prop(update_engine, ota_prop) |
| |
| # Allow to get the DSU status |
| get_prop(update_engine, gsid_prop) |
| |
| # update_engine tries to determine the parent path for all devices (e.g. |
| # /dev/block/by-name) by reading the default fstab and looking for the misc |
| # device. ReadDefaultFstab() checks whether a GSI is running by checking |
| # gsi_metadata_file. We never apply OTAs when GSI is running, so just deny |
| # the access. |
| dontaudit update_engine gsi_metadata_file:dir search; |
| |
| # Allow to write to snapshotctl_log logs. |
| # TODO(b/148818798) revert when parent bug is fixed. |
| userdebug_or_eng(` |
| allow update_engine snapshotctl_log_data_file:dir rw_dir_perms; |
| allow update_engine snapshotctl_log_data_file:file create_file_perms; |
| ') |