| Alex Klyubin | f5446eb | 2017-03-23 14:27:32 -0700 | [diff] [blame] | 1 | typeattribute kernel coredomain; |
| 2 | |
| dcashman | cc39f63 | 2016-07-22 13:13:11 -0700 | [diff] [blame] | 3 | domain_auto_trans(kernel, init_exec, init) |
| David Anderson | f4cba7e | 2020-12-02 21:15:08 -0800 | [diff] [blame] | 4 | domain_auto_trans(kernel, snapuserd_exec, snapuserd) |
| Andreas Gampe | d6fdcef | 2019-03-18 10:54:42 -0700 | [diff] [blame] | 5 | |
| 6 | # Allow the kernel to read otapreopt_chroot's file descriptors and files under |
| 7 | # /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex. |
| 8 | allow kernel otapreopt_chroot:fd use; |
| 9 | allow kernel postinstall_file:file read; |
| David Anderson | f4cba7e | 2020-12-02 21:15:08 -0800 | [diff] [blame] | 10 | |
| 11 | # The following sections are for the transition period during a Virtual A/B |
| 12 | # OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct |
| 13 | # context, and with properly labelled devices. This must be done before |
| 14 | # enabling enforcement, eg, in permissive mode while still in the kernel |
| 15 | # context. |
| 16 | allow kernel tmpfs:blk_file { getattr relabelfrom }; |
| 17 | allow kernel tmpfs:chr_file { getattr relabelfrom }; |
| 18 | allow kernel tmpfs:lnk_file { getattr relabelfrom }; |
| 19 | allow kernel tmpfs:dir { open read relabelfrom }; |
| 20 | |
| 21 | allow kernel block_device:blk_file relabelto; |
| 22 | allow kernel block_device:lnk_file relabelto; |
| 23 | allow kernel dm_device:chr_file relabelto; |
| 24 | allow kernel dm_device:blk_file relabelto; |
| 25 | allow kernel dm_user_device:dir { read open search relabelto }; |
| 26 | allow kernel dm_user_device:chr_file relabelto; |
| 27 | allow kernel kmsg_device:chr_file relabelto; |
| 28 | allow kernel null_device:chr_file relabelto; |
| 29 | allow kernel random_device:chr_file relabelto; |
| 30 | allow kernel snapuserd_exec:file relabelto; |
| 31 | |
| 32 | allow kernel kmsg_device:chr_file write; |
| Howard Chen | 4db8cbd | 2021-01-14 15:27:50 +0800 | [diff] [blame] | 33 | allow kernel gsid:fd use; |
| Jeff Vander Stoep | bc0fa66 | 2021-12-03 15:21:54 +0100 | [diff] [blame] | 34 | |
| Akilesh Kailash | 1044702 | 2022-07-26 21:26:01 +0000 | [diff] [blame^] | 35 | dontaudit kernel metadata_file:dir search; |
| 36 | dontaudit kernel ota_metadata_file:dir rw_dir_perms; |
| 37 | dontaudit kernel sysfs:dir r_dir_perms; |
| 38 | dontaudit kernel sysfs:file { open read write }; |
| 39 | dontaudit kernel sysfs:chr_file { open read write }; |
| 40 | dontaudit kernel dm_device:chr_file ioctl; |
| 41 | dontaudit kernel self:capability { sys_admin setgid mknod }; |
| 42 | |
| 43 | dontaudit kernel dm_user_device:dir { write add_name }; |
| 44 | dontaudit kernel dm_user_device:chr_file { create setattr }; |
| 45 | dontaudit kernel tmpfs:lnk_file read; |
| 46 | dontaudit kernel tmpfs:blk_file { open read }; |
| 47 | |
| Jeff Vander Stoep | bc0fa66 | 2021-12-03 15:21:54 +0100 | [diff] [blame] | 48 | # Some contexts are changed before the device is flipped into enforcing mode |
| 49 | # during the setup of Apex sepolicy. These denials can be suppressed since |
| 50 | # the permissions should not be allowed after the device is flipped into |
| 51 | # enforcing mode. |
| 52 | dontaudit kernel device:dir { open read relabelto }; |
| 53 | dontaudit kernel tmpfs:file { getattr open read relabelfrom }; |
| 54 | dontaudit kernel { |
| 55 | file_contexts_file |
| 56 | hwservice_contexts_file |
| 57 | mac_perms_file |
| 58 | property_contexts_file |
| 59 | seapp_contexts_file |
| 60 | sepolicy_test_file |
| 61 | service_contexts_file |
| 62 | }:file relabelto; |