Loading common/private/backuptool.te 0 → 100644 +5 −0 Original line number Diff line number Diff line type backuptool, domain, coredomain; permissive backuptool; neverallow { domain -update_engine } backuptool:process transition; common/private/update_engine.te +5 −8 Original line number Diff line number Diff line allow update_engine self:capability { dac_override dac_read_search sys_rawio }; # Read updates from storage data r_dir_file(update_engine, mnt_user_file) r_dir_file(update_engine, storage_file) allow update_engine self:capability { chown fsetid sys_rawio }; # Allow mount and unmount of system partition allow update_engine labeledfs:filesystem { mount unmount }; allow update_engine { media_rw_data_file rootfs sdcardfs system_data_file system_file }:dir create_dir_perms; allow update_engine { media_rw_data_file rootfs sdcardfs system_data_file system_file }:{ file lnk_file } create_file_perms; allow update_engine { otapreopt_chroot_exec rootfs system_file toolbox_exec }:file rx_file_perms; allow update_engine { rootfs system_file }:file { relabelfrom relabelto }; # Allow transition to backuptool domain allow update_engine self:process setexec; domain_trans(update_engine, otapreopt_chroot_exec, backuptool) Loading
common/private/backuptool.te 0 → 100644 +5 −0 Original line number Diff line number Diff line type backuptool, domain, coredomain; permissive backuptool; neverallow { domain -update_engine } backuptool:process transition;
common/private/update_engine.te +5 −8 Original line number Diff line number Diff line allow update_engine self:capability { dac_override dac_read_search sys_rawio }; # Read updates from storage data r_dir_file(update_engine, mnt_user_file) r_dir_file(update_engine, storage_file) allow update_engine self:capability { chown fsetid sys_rawio }; # Allow mount and unmount of system partition allow update_engine labeledfs:filesystem { mount unmount }; allow update_engine { media_rw_data_file rootfs sdcardfs system_data_file system_file }:dir create_dir_perms; allow update_engine { media_rw_data_file rootfs sdcardfs system_data_file system_file }:{ file lnk_file } create_file_perms; allow update_engine { otapreopt_chroot_exec rootfs system_file toolbox_exec }:file rx_file_perms; allow update_engine { rootfs system_file }:file { relabelfrom relabelto }; # Allow transition to backuptool domain allow update_engine self:process setexec; domain_trans(update_engine, otapreopt_chroot_exec, backuptool)
