-
Notifications
You must be signed in to change notification settings - Fork 12
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Change-Id: Ib1f52f40dab26ac4575e06bfd54b88809b00f8d3
- Loading branch information
1 parent
75ac3aa
commit 618adbf
Showing
2 changed files
with
10 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
type backuptool, domain, coredomain; | ||
|
||
permissive backuptool; | ||
|
||
neverallow { domain -update_engine } backuptool:process transition; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,13 +1,10 @@ | ||
allow update_engine self:capability { dac_override dac_read_search sys_rawio }; | ||
|
||
# Read updates from storage data | ||
r_dir_file(update_engine, mnt_user_file) | ||
r_dir_file(update_engine, storage_file) | ||
|
||
allow update_engine self:capability { chown fsetid sys_rawio }; | ||
|
||
# Allow mount and unmount of system partition | ||
allow update_engine labeledfs:filesystem { mount unmount }; | ||
|
||
allow update_engine { media_rw_data_file rootfs sdcardfs system_data_file system_file }:dir create_dir_perms; | ||
allow update_engine { media_rw_data_file rootfs sdcardfs system_data_file system_file }:{ file lnk_file } create_file_perms; | ||
allow update_engine { otapreopt_chroot_exec rootfs system_file toolbox_exec }:file rx_file_perms; | ||
allow update_engine { rootfs system_file }:file { relabelfrom relabelto }; | ||
# Allow transition to backuptool domain | ||
allow update_engine self:process setexec; | ||
domain_trans(update_engine, otapreopt_chroot_exec, backuptool) |