1# Domain for update_engine daemon. 2type update_engine, domain, update_engine_common; 3type update_engine_exec, exec_type, file_type; 4 5net_domain(update_engine); 6 7# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid to tag network 8# sockets. 9allow update_engine qtaguid_proc:file rw_file_perms; 10allow update_engine qtaguid_device:chr_file r_file_perms; 11 12# Following permissions are needed for update_engine. 13allow update_engine self:process { setsched }; 14allow update_engine self:global_capability_class_set { fowner sys_admin }; 15# Note: fsetid checks are triggered when creating a file in a directory with 16# the setgid bit set to determine if the file should inherit setgid. In this 17# case, setgid on the file is undesirable so we should just suppress the 18# denial. 19dontaudit update_engine self:global_capability_class_set fsetid; 20 21allow update_engine kmsg_device:chr_file w_file_perms; 22allow update_engine update_engine_exec:file rx_file_perms; 23wakelock_use(update_engine); 24 25# Ignore these denials. 26dontaudit update_engine kernel:process setsched; 27dontaudit update_engine self:capability sys_rawio; 28 29# Allow using persistent storage in /data/misc/update_engine. 30allow update_engine update_engine_data_file:dir create_dir_perms; 31allow update_engine update_engine_data_file:file create_file_perms; 32 33# Allow using persistent storage in /data/misc/update_engine_log. 34allow update_engine update_engine_log_data_file:dir create_dir_perms; 35allow update_engine update_engine_log_data_file:file create_file_perms; 36 37# Don't allow kernel module loading, just silence the logs. 38dontaudit update_engine kernel:system module_request; 39 40# Register the service to perform Binder IPC. 41binder_use(update_engine) 42add_service(update_engine, update_engine_service) 43 44# Allow update_engine to call the callback function provided by priv_app. 45binder_call(update_engine, priv_app) 46 47# Read OTA zip file at /data/ota_package/. 48allow update_engine ota_package_file:file r_file_perms; 49allow update_engine ota_package_file:dir r_dir_perms; 50 51# Use Boot Control HAL 52hal_client_domain(update_engine, hal_bootctl) 53 54# access /proc/misc 55allow update_engine proc_misc:file r_file_perms; 56 57# read directories on /system and /vendor 58allow update_engine system_file:dir r_dir_perms; 59