1# Domain where the postinstall program runs during the update. 2# Extend the permissions in this domain to allow this program to access other 3# files needed by the specific device on your device's sepolicy directory. 4type postinstall, domain; 5 6# Allow postinstall to write to its stdout/stderr when redirected via pipes to 7# update_engine. 8allow postinstall update_engine:fd use; 9allow postinstall update_engine:fifo_file rw_file_perms; 10 11# Allow postinstall to read and execute directories and files in the same 12# mounted location. 13allow postinstall postinstall_file:file rx_file_perms; 14allow postinstall postinstall_file:lnk_file r_file_perms; 15allow postinstall postinstall_file:dir r_dir_perms; 16 17# Allow postinstall to execute the shell or other system executables. 18allow postinstall shell_exec:file rx_file_perms; 19allow postinstall system_file:file rx_file_perms; 20allow postinstall toolbox_exec:file rx_file_perms; 21 22# No domain other than update_engine should transition to postinstall, as it is 23# only meant to run during the update. 24neverallow { domain -update_engine } postinstall:process { transition dyntransition }; 25 26# 27# For OTA dexopt. 28# 29 30# Allow postinstall scripts to talk to the system server. 31binder_use(postinstall) 32binder_call(postinstall, system_server) 33 34# Need to talk to the otadexopt service. 35allow postinstall otadexopt_service:service_manager find;