Blame - microdroid/system/private/compos.te - android_system_sepolicy

blob: 386f11ed86702db4391ef7b46e420a1c12a8e197 [file] [log] [blame]

Inseob Kim	7560aed	2021-07-20 09:57:57 +0000	[diff] [blame]	1	# TODO(b/193504816): move this to compos APEX
Inseob Kim	1f87fbd	2021-07-26 05:56:31 +0000	[diff] [blame]	2	type compos, domain, coredomain, microdroid_payload;
Inseob Kim	7560aed	2021-07-20 09:57:57 +0000	[diff] [blame]	3	type compos_exec, exec_type, file_type, system_file_type;
				4
Alan Stokes	50d2195	2022-01-17 13:50:16 +0000	[diff] [blame]	5	# Expose RPC Binder service over vsock
Inseob Kim	7560aed	2021-07-20 09:57:57 +0000	[diff] [blame]	6	allow compos self:vsock_socket { create_socket_perms_no_ioctl listen accept };
				7
Alan Stokes	50d2195	2022-01-17 13:50:16 +0000	[diff] [blame]	8	# Allow using various binder services
Inseob Kim	1f87fbd	2021-07-26 05:56:31 +0000	[diff] [blame]	9	binder_use(compos);
Alan Stokes	0c5449b	2022-02-17 18:01:46 +0000	[diff] [blame]	10	allow compos authfs_binder_service:service_manager find;
Victor Hsieh	aa987aa	2021-08-10 16:33:32 -0700	[diff] [blame]	11	binder_call(compos, authfs_service);
Victor Hsieh	aa987aa	2021-08-10 16:33:32 -0700	[diff] [blame]	12
Alan Stokes	14f1887	2021-12-16 13:40:21 +0000	[diff] [blame]	13	# Read artifacts created by odrefresh and create signature files.
Alan Stokes	14f1887	2021-12-16 13:40:21 +0000	[diff] [blame]	14	allow compos authfs_fuse:dir rw_dir_perms;
				15	allow compos authfs_fuse:file create_file_perms;
Victor Hsieh	f97cc1f	2021-11-30 14:43:47 -0800	[diff] [blame]	16
				17	# Allow locating the authfs mount directory.
Alan Stokes	14f1887	2021-12-16 13:40:21 +0000	[diff] [blame]	18	allow compos authfs_data_file:dir search;
Victor Hsieh	f97cc1f	2021-11-30 14:43:47 -0800	[diff] [blame]	19
Alan Stokes	d313282	2022-01-05 16:05:54 +0000	[diff] [blame]	20	# Run derive_classpath in our domain
				21	allow compos derive_classpath_exec:file rx_file_perms;
				22	allow compos apex_mnt_dir:dir r_dir_perms;
				23	# Ignore harmless denials on /proc/self/fd
				24	dontaudit compos self:dir write;
				25	# See b/35323867#comment3
				26	dontaudit compos self:global_capability_class_set dac_override;
				27
Victor Hsieh	3423bc4	2022-05-10 16:14:30 -0700	[diff] [blame^]	28	# Allow settings system properties that ART expects.
				29	set_prop(compos, dalvik_config_prop)
				30	set_prop(compos, device_config_runtime_native_boot_prop)
				31
Alan Stokes	766caba	2022-02-14 14:33:37 +0000	[diff] [blame]	32	# Allow running odrefresh in its own domain
Victor Hsieh	f97cc1f	2021-11-30 14:43:47 -0800	[diff] [blame]	33	domain_auto_trans(compos, odrefresh_exec, odrefresh)
Alan Stokes	766caba	2022-02-14 14:33:37 +0000	[diff] [blame]	34
				35	# Allow running compos_key_helper in its own domain
				36	domain_auto_trans(compos, compos_key_helper_exec, compos_key_helper)
				37	# And killing it on error
				38	allow compos compos_key_helper:process sigkill;