1# Domain where the postinstall program runs during the update. 2# Extend the permissions in this domain to allow this program to access other 3# files needed by the specific device on your device's sepolicy directory. 4type postinstall, domain; 5 6# Allow postinstall to write to its stdout/stderr when redirected via pipes to 7# update_engine. 8allow postinstall update_engine_common:fd use; 9allow postinstall update_engine_common:fifo_file rw_file_perms; 10 11# Allow postinstall to read and execute directories and files in the same 12# mounted location. 13allow postinstall postinstall_file:file rx_file_perms; 14allow postinstall postinstall_file:lnk_file r_file_perms; 15allow postinstall postinstall_file:dir r_dir_perms; 16 17# Allow postinstall to execute the shell or other system executables. 18allow postinstall shell_exec:file rx_file_perms; 19allow postinstall system_file:file rx_file_perms; 20allow postinstall toolbox_exec:file rx_file_perms; 21 22# 23# For OTA dexopt. 24# 25 26# Allow postinstall scripts to talk to the system server. 27binder_use(postinstall) 28binder_call(postinstall, system_server) 29 30# Need to talk to the otadexopt service. 31allow postinstall otadexopt_service:service_manager find; 32 33# No domain other than update_engine and recovery (via update_engine_sideload) 34# should transition to postinstall, as it is only meant to run during the 35# update. 36neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition }; 37