| Alex Klyubin | f5446eb | 2017-03-23 14:27:32 -0700 | [diff] [blame] | 1 | typeattribute otapreopt_chroot coredomain; |
| 2 | |
| dcashman | cc39f63 | 2016-07-22 13:13:11 -0700 | [diff] [blame] | 3 | # Allow to transition to postinstall_ota, to run otapreopt in its own sandbox. |
| 4 | domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt) |
| Roland Levillain | 0a6c2d0 | 2019-01-15 17:36:47 +0000 | [diff] [blame] | 5 | |
| 6 | # Allow otapreopt_chroot to create loop devices with /dev/loop-control. |
| 7 | allow otapreopt_chroot loop_control_device:chr_file rw_file_perms; |
| 8 | # Allow otapreopt_chroot to access loop devices. |
| 9 | allow otapreopt_chroot loop_device:blk_file rw_file_perms; |
| 10 | allowxperm otapreopt_chroot loop_device:blk_file ioctl { |
| 11 | LOOP_GET_STATUS64 |
| 12 | LOOP_SET_STATUS64 |
| 13 | LOOP_SET_FD |
| 14 | LOOP_SET_BLOCK_SIZE |
| 15 | LOOP_SET_DIRECT_IO |
| 16 | LOOP_CLR_FD |
| 17 | BLKFLSBUF |
| 18 | }; |
| 19 | |
| 20 | # Allow otapreopt_chroot to configure read-ahead of loop devices. |
| 21 | allow otapreopt_chroot sysfs_loop:dir r_dir_perms; |
| 22 | allow otapreopt_chroot sysfs_loop:file rw_file_perms; |
| 23 | |
| 24 | # Allow otapreopt_chroot to mount a tmpfs filesystem in /postinstall/apex. |
| 25 | allow otapreopt_chroot tmpfs:filesystem mount; |
| 26 | # Allow otapreopt_chroot to manipulate the tmpfs filesystem mounted in /postinstall/apex. |
| 27 | allow otapreopt_chroot tmpfs:dir create_dir_perms; |
| 28 | # Allow otapreopt_chroot to mount APEX packages in /postinstall/apex. |
| 29 | allow otapreopt_chroot tmpfs:dir mounton; |
| Roland Levillain | 7094d4f | 2019-01-21 15:01:26 +0000 | [diff] [blame^] | 30 | |
| 31 | # Allow otapreopt_chroot to unmount APEX packages (ext4 images) mounted in /postinstall/apex. |
| 32 | allow otapreopt_chroot labeledfs:filesystem unmount; |
| 33 | # Allow otapreopt_chroot to access /dev/block. |
| 34 | allow otapreopt_chroot block_device:dir r_dir_perms; |