Blame - microdroid/sepolicy/system/private/kernel.te - android_packages_modules_Virtualization

blob: 53411634340bdc10811e9bb9ed1d5d39fcbff486 [file] [log] [blame]

Inseob Kim	ff43be2	2021-06-07 16:56:56 +0900	[diff] [blame]	1	typeattribute kernel coredomain;
				2
				3	domain_auto_trans(kernel, init_exec, init)
				4	domain_auto_trans(kernel, snapuserd_exec, snapuserd)
				5
				6	# Allow the kernel to read otapreopt_chroot's file descriptors and files under
				7	# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex.
				8	allow kernel otapreopt_chroot:fd use;
				9	allow kernel postinstall_file:file read;
				10
				11	# The following sections are for the transition period during a Virtual A/B
				12	# OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct
				13	# context, and with properly labelled devices. This must be done before
				14	# enabling enforcement, eg, in permissive mode while still in the kernel
				15	# context.
				16	allow kernel tmpfs:blk_file { getattr relabelfrom };
				17	allow kernel tmpfs:chr_file { getattr relabelfrom };
				18	allow kernel tmpfs:lnk_file { getattr relabelfrom };
				19	allow kernel tmpfs:dir { open read relabelfrom };
				20
				21	allow kernel block_device:blk_file relabelto;
				22	allow kernel block_device:lnk_file relabelto;
				23	allow kernel dm_device:chr_file relabelto;
				24	allow kernel dm_device:blk_file relabelto;
				25	allow kernel dm_user_device:dir { read open search relabelto };
				26	allow kernel dm_user_device:chr_file relabelto;
				27	allow kernel kmsg_device:chr_file relabelto;
				28	allow kernel null_device:chr_file relabelto;
				29	allow kernel random_device:chr_file relabelto;
				30	allow kernel snapuserd_exec:file relabelto;
				31
				32	allow kernel kmsg_device:chr_file write;
				33	allow kernel gsid:fd use;