blob: 6775b3b09f6118157cd18bea72621bc33945d25e [file] [log] [blame]
Alex Klyubinf5446eb2017-03-23 14:27:32 -07001typeattribute kernel coredomain;
2
dcashmancc39f632016-07-22 13:13:11 -07003domain_auto_trans(kernel, init_exec, init)
David Andersonf4cba7e2020-12-02 21:15:08 -08004domain_auto_trans(kernel, snapuserd_exec, snapuserd)
Andreas Gamped6fdcef2019-03-18 10:54:42 -07005
6# Allow the kernel to read otapreopt_chroot's file descriptors and files under
7# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex.
8allow kernel otapreopt_chroot:fd use;
9allow kernel postinstall_file:file read;
David Andersonf4cba7e2020-12-02 21:15:08 -080010
11# The following sections are for the transition period during a Virtual A/B
12# OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct
13# context, and with properly labelled devices. This must be done before
14# enabling enforcement, eg, in permissive mode while still in the kernel
15# context.
16allow kernel tmpfs:blk_file { getattr relabelfrom };
17allow kernel tmpfs:chr_file { getattr relabelfrom };
18allow kernel tmpfs:lnk_file { getattr relabelfrom };
19allow kernel tmpfs:dir { open read relabelfrom };
20
21allow kernel block_device:blk_file relabelto;
22allow kernel block_device:lnk_file relabelto;
23allow kernel dm_device:chr_file relabelto;
24allow kernel dm_device:blk_file relabelto;
25allow kernel dm_user_device:dir { read open search relabelto };
26allow kernel dm_user_device:chr_file relabelto;
27allow kernel kmsg_device:chr_file relabelto;
28allow kernel null_device:chr_file relabelto;
29allow kernel random_device:chr_file relabelto;
30allow kernel snapuserd_exec:file relabelto;
31
32allow kernel kmsg_device:chr_file write;
Howard Chen4db8cbd2021-01-14 15:27:50 +080033allow kernel gsid:fd use;
Jeff Vander Stoepbc0fa662021-12-03 15:21:54 +010034
35# Some contexts are changed before the device is flipped into enforcing mode
36# during the setup of Apex sepolicy. These denials can be suppressed since
37# the permissions should not be allowed after the device is flipped into
38# enforcing mode.
39dontaudit kernel device:dir { open read relabelto };
40dontaudit kernel tmpfs:file { getattr open read relabelfrom };
41dontaudit kernel {
42 file_contexts_file
43 hwservice_contexts_file
44 mac_perms_file
45 property_contexts_file
46 seapp_contexts_file
47 sepolicy_test_file
48 service_contexts_file
49}:file relabelto;