| Andreas Gampe | 4c2d06c | 2019-02-21 10:03:07 -0800 | [diff] [blame] | 1 | # ART APEX postinstall. |
| 2 | # |
| 3 | |
| 4 | type art_apex_postinstall, domain, coredomain; |
| 5 | type art_apex_postinstall_exec, system_file_type, exec_type, file_type; |
| 6 | |
| 7 | # /dev/zero |
| 8 | allow art_apex_postinstall apexd:fd use; |
| 9 | |
| 10 | # Read temp dirs and files. Move directories. |
| 11 | allow art_apex_postinstall ota_data_file:dir { r_dir_perms write rename remove_name relabelfrom reparent }; |
| 12 | allow art_apex_postinstall ota_data_file:file { r_file_perms relabelfrom }; |
| 13 | # We're deleting the old /data/dalvik-cache/* and move the new ones |
| 14 | # over. |
| 15 | allow art_apex_postinstall dalvikcache_data_file:dir { create_dir_perms relabelto }; |
| 16 | allow art_apex_postinstall dalvikcache_data_file:file { r_file_perms unlink relabelto }; |
| 17 | |
| 18 | # Required for relabel. |
| 19 | allow art_apex_postinstall file_contexts_file:file r_file_perms; |
| 20 | |
| 21 | # Script helpers. |
| 22 | allow art_apex_postinstall shell_exec:file rx_file_perms; |
| 23 | allow art_apex_postinstall toolbox_exec:file rx_file_perms; |
| Andreas Gampe | 67e14ad | 2019-02-28 16:51:12 -0800 | [diff] [blame] | 24 | |
| 25 | # Fsverity in the same domain. |
| 26 | allow art_apex_postinstall system_file:file execute_no_trans; |
| 27 | # Fsverity work. |
| 28 | allowxperm art_apex_postinstall ota_data_file:file ioctl { |
| 29 | FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY |
| 30 | }; |
| 31 | |
| 32 | allow art_apex_postinstall kernel:key search; |
| 33 | # For testing purposes, allow keys installed with su. |
| 34 | userdebug_or_eng(` |
| 35 | allow art_apex_postinstall su:key search; |
| 36 | ') |