| Andreas Gampe | 1845b40 | 2019-03-04 14:10:02 -0800 | [diff] [blame^] | 1 | # This command set moves the artifact corresponding to the current slot |
| 2 | # from /data/ota to /data/dalvik-cache. |
| 3 | |
| 4 | type art_apex_boot_integrity, domain, coredomain; |
| 5 | type art_apex_boot_integrity_exec, system_file_type, exec_type, file_type; |
| 6 | |
| 7 | # Technically not a daemon but we do want the transition from init domain to |
| 8 | # art_apex_boot_integrity to occur. |
| 9 | init_daemon_domain(art_apex_boot_integrity) |
| 10 | |
| 11 | # Read dalvik cache directories, remove entries. |
| 12 | allow art_apex_boot_integrity dalvikcache_data_file:dir { r_dir_perms write remove_name }; |
| 13 | # Read and possibly delete dalvik cache files. |
| 14 | allow art_apex_boot_integrity dalvikcache_data_file:file { r_file_perms unlink }; |
| 15 | |
| 16 | # Allow art_apex_boot_integrity to execute itself using #!/system/bin/sh |
| 17 | allow art_apex_boot_integrity shell_exec:file rx_file_perms; |
| 18 | |
| 19 | # Allow running the mv and rm/rmdir commands using art_apex_boot_integrity |
| 20 | # permissions. |
| 21 | allow art_apex_boot_integrity toolbox_exec:file rx_file_perms; |
| 22 | |
| 23 | # Fsverity in the same domain. |
| 24 | allow art_apex_boot_integrity system_file:file execute_no_trans; |
| 25 | # Fsverity work. |
| 26 | allowxperm art_apex_boot_integrity ota_data_file:file ioctl { |
| 27 | FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY |
| 28 | }; |
| 29 | |
| 30 | allow art_apex_boot_integrity kernel:key search; |
| 31 | # For testing purposes, allow keys installed with su. |
| 32 | userdebug_or_eng(` |
| 33 | allow art_apex_boot_integrity su:key search; |
| 34 | ') |