| typeattribute kernel coredomain; |
| |
| domain_auto_trans(kernel, init_exec, init) |
| domain_auto_trans(kernel, snapuserd_exec, snapuserd) |
| |
| # Allow the kernel to read otapreopt_chroot's file descriptors and files under |
| # /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex. |
| allow kernel otapreopt_chroot:fd use; |
| allow kernel postinstall_file:file read; |
| |
| # The following sections are for the transition period during a Virtual A/B |
| # OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct |
| # context, and with properly labelled devices. This must be done before |
| # enabling enforcement, eg, in permissive mode while still in the kernel |
| # context. |
| allow kernel tmpfs:blk_file { getattr relabelfrom }; |
| allow kernel tmpfs:chr_file { getattr relabelfrom }; |
| allow kernel tmpfs:lnk_file { getattr relabelfrom }; |
| allow kernel tmpfs:dir { open read relabelfrom }; |
| |
| allow kernel block_device:blk_file relabelto; |
| allow kernel block_device:lnk_file relabelto; |
| allow kernel dm_device:chr_file relabelto; |
| allow kernel dm_device:blk_file relabelto; |
| allow kernel dm_user_device:dir { read open search relabelto }; |
| allow kernel dm_user_device:chr_file relabelto; |
| allow kernel kmsg_device:chr_file relabelto; |
| allow kernel null_device:chr_file relabelto; |
| allow kernel random_device:chr_file relabelto; |
| allow kernel snapuserd_exec:file relabelto; |
| allow kernel vd_device:blk_file read; |
| |
| allow kernel kmsg_device:chr_file write; |
| allow kernel gsid:fd use; |
| |
| # apkdmverity attaches a loop device to idsig file |
| # and the loop device is used by zipfuse later. |
| # This requires kernel to use the fd opened by apkdmverity. |
| allow kernel apkdmverity:fd use; |