Skip to content
Snippets Groups Projects
Select Git revision
  • test default
1 result
Blame History Permalink
  • dcashman's avatar
    Split general policy into public and private components. · cc39f637
    dcashman authored 
    Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
    cc39f637
postinstall.te 1.40 KiB 
# Domain where the postinstall program runs during the update.
# Extend the permissions in this domain to allow this program to access other
# files needed by the specific device on your device's sepolicy directory.
type postinstall, domain;

# Allow postinstall to write to its stdout/stderr when redirected via pipes to
# update_engine.
allow postinstall update_engine_common:fd use;
allow postinstall update_engine_common:fifo_file rw_file_perms;

# Allow postinstall to read and execute directories and files in the same
# mounted location.
allow postinstall postinstall_file:file rx_file_perms;
allow postinstall postinstall_file:lnk_file r_file_perms;
allow postinstall postinstall_file:dir r_dir_perms;

# Allow postinstall to execute the shell or other system executables.
allow postinstall shell_exec:file rx_file_perms;
allow postinstall system_file:file rx_file_perms;
allow postinstall toolbox_exec:file rx_file_perms;

#
# For OTA dexopt.
#

# Allow postinstall scripts to talk to the system server.
binder_use(postinstall)
binder_call(postinstall, system_server)

# Need to talk to the otadexopt service.
allow postinstall otadexopt_service:service_manager find;

# No domain other than update_engine and recovery (via update_engine_sideload)
# should transition to postinstall, as it is only meant to run during the
# update.
neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition };