Blame - private/compos_verify.te - android_system_sepolicy

blob: 0a281f83bb0309947f5bb34b8ac28a0dbd108033 [file] [log] [blame]

Alan Stokes	766caba	2022-02-14 14:33:37 +0000	[diff] [blame]	1	# Run by odsign to verify a CompOS signature
				2	type compos_verify, domain, coredomain;
				3	type compos_verify_exec, exec_type, file_type, system_file_type;
				4
				5	# Start a VM
				6	binder_use(compos_verify);
				7	virtualizationservice_use(compos_verify);
				8
				9	# Access instance image files
				10	allow compos_verify apex_module_data_file:dir search;
				11	r_dir_file(compos_verify, apex_compos_data_file)
				12
				13	# Read CompOS info & signature files
				14	allow compos_verify apex_art_data_file:dir search;
				15	allow compos_verify apex_art_data_file:file r_file_perms;
				16
				17	# Allow odsign to redirect our stdout/stderr to log
				18	allow compos_verify odsign:fd use;
				19	allow compos_verify odsign_devpts:chr_file { read write };
				20
				21	# Only odsign can enter the domain via exec
				22	neverallow { domain -odsign } compos_verify:process transition;
				23	neverallow * compos_verify:process dyntransition;