1# Domain for update_engine daemon.
2type update_engine, domain, update_engine_common;
3type update_engine_exec, exec_type, file_type;
4
5net_domain(update_engine);
6
7# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid to tag network
8# sockets.
9allow update_engine qtaguid_proc:file rw_file_perms;
10allow update_engine qtaguid_device:chr_file r_file_perms;
11
12# Following permissions are needed for update_engine.
13allow update_engine self:process { setsched };
14allow update_engine self:global_capability_class_set { fowner sys_admin };
15# Note: fsetid checks are triggered when creating a file in a directory with
16# the setgid bit set to determine if the file should inherit setgid. In this
17# case, setgid on the file is undesirable so we should just suppress the
18# denial.
19dontaudit update_engine self:global_capability_class_set fsetid;
20
21allow update_engine kmsg_device:chr_file w_file_perms;
22allow update_engine update_engine_exec:file rx_file_perms;
23wakelock_use(update_engine);
24
25# Ignore these denials.
26dontaudit update_engine kernel:process setsched;
27dontaudit update_engine self:capability sys_rawio;
28
29# Allow using persistent storage in /data/misc/update_engine.
30allow update_engine update_engine_data_file:dir create_dir_perms;
31allow update_engine update_engine_data_file:file create_file_perms;
32
33# Allow using persistent storage in /data/misc/update_engine_log.
34allow update_engine update_engine_log_data_file:dir create_dir_perms;
35allow update_engine update_engine_log_data_file:file create_file_perms;
36
37# Don't allow kernel module loading, just silence the logs.
38dontaudit update_engine kernel:system module_request;
39
40# Register the service to perform Binder IPC.
41binder_use(update_engine)
42add_service(update_engine, update_engine_service)
43
44# Allow update_engine to call the callback function provided by priv_app.
45binder_call(update_engine, priv_app)
46
47# Read OTA zip file at /data/ota_package/.
48allow update_engine ota_package_file:file r_file_perms;
49allow update_engine ota_package_file:dir r_dir_perms;
50
51# Use Boot Control HAL
52hal_client_domain(update_engine, hal_bootctl)
53
54# access /proc/misc
55allow update_engine proc_misc:file r_file_perms;
56
57# read directories on /system and /vendor
58allow update_engine system_file:dir r_dir_perms;
59