1# Domain where the postinstall program runs during the update.
2# Extend the permissions in this domain to allow this program to access other
3# files needed by the specific device on your device's sepolicy directory.
4type postinstall, domain;
5
6# Allow postinstall to write to its stdout/stderr when redirected via pipes to
7# update_engine.
8allow postinstall update_engine_common:fd use;
9allow postinstall update_engine_common:fifo_file rw_file_perms;
10
11# Allow postinstall to read and execute directories and files in the same
12# mounted location.
13allow postinstall postinstall_file:file rx_file_perms;
14allow postinstall postinstall_file:lnk_file r_file_perms;
15allow postinstall postinstall_file:dir r_dir_perms;
16
17# Allow postinstall to execute the shell or other system executables.
18allow postinstall shell_exec:file rx_file_perms;
19allow postinstall system_file:file rx_file_perms;
20allow postinstall toolbox_exec:file rx_file_perms;
21
22#
23# For OTA dexopt.
24#
25
26# Allow postinstall scripts to talk to the system server.
27binder_use(postinstall)
28binder_call(postinstall, system_server)
29
30# Need to talk to the otadexopt service.
31allow postinstall otadexopt_service:service_manager find;
32
33# No domain other than update_engine and recovery (via update_engine_sideload)
34# should transition to postinstall, as it is only meant to run during the
35# update.
36neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition };
37