# update_engine payload application permissions. These are shared between the # background daemon and the recovery tool to sideload an update. # Allow update_engine to reach block devices in /dev/block. allow update_engine_common block_device:dir search; # Allow read/write on system and boot partitions. allow update_engine_common boot_block_device:blk_file rw_file_perms; allow update_engine_common system_block_device:blk_file rw_file_perms; # Allow to set recovery options in the BCB. Used to trigger factory reset when # the update to an older version (channel change) or incompatible version # requires it. allow update_engine_common misc_block_device:blk_file rw_file_perms; # read fstab allow update_engine_common rootfs:dir getattr; allow update_engine_common rootfs:file r_file_perms; # Allow update_engine_common to mount on the /postinstall directory and reset the # labels on the mounted filesystem to postinstall_file. allow update_engine_common postinstall_mnt_dir:dir { mounton getattr search }; allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto }; allow update_engine_common labeledfs:filesystem relabelfrom; # Allow update_engine_common to read and execute postinstall_file. allow update_engine_common postinstall_file:file rx_file_perms; allow update_engine_common postinstall_file:lnk_file r_file_perms; allow update_engine_common postinstall_file:dir r_dir_perms; # install update.zip from cache r_dir_file(update_engine_common, cache_file) # A postinstall program is typically a shell script (with a #!), so we allow # to execute those. allow update_engine_common shell_exec:file rx_file_perms; # Allow update_engine_common to suspend, resume and kill the postinstall program. allow update_engine_common postinstall:process { signal sigstop sigkill }; # access /proc/misc # Access is also granted to proc:file, but it is likely unneeded # due to the more specific grant to proc_misc immediately below. allow update_engine proc:file r_file_perms; # delete candidate allow update_engine proc_misc:file r_file_perms; # read directories on /system and /vendor allow update_engine system_file:dir r_dir_perms;