Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 90b7b0039101c0ba05c58c2ebbd1e4a6f0345638 / . / private / compos_fd_server.te
blob: 72964c3447a2a07efab358dacf55b51c9bf04005 [file] [log] [blame]
Alan Stokesec4a90f2021-09-21 13:32:24 +0100[diff] [blame]1# Make ART inputs and outputs available to the CompOS VM
2type compos_fd_server, domain, coredomain;
3
4# Allow access to open fds inherited from odrefresh - read inputs, generate outputs
Victor Hsieh90b7b002021-11-30 14:21:06 -0800[diff] [blame^]5# TODO(b/209008712): Remove once migration is done.
Alan Stokesec4a90f2021-09-21 13:32:24 +0100[diff] [blame]6allow compos_fd_server odrefresh:fd use;
7allow compos_fd_server apex_art_data_file:file { getattr read };
Victor Hsieh90b7b002021-11-30 14:21:06 -0800[diff] [blame^]8
9# Allow access to open fds inherited from composd
10allow compos_fd_server composd:fd use;
11
12# Allow creating new files and directory in the staging directory.
13allow compos_fd_server apex_art_staging_data_file:dir create_dir_perms;
14allow compos_fd_server apex_art_staging_data_file:file create_file_perms;
15
Alan Stokesad6e1262021-10-04 09:34:30 +0100[diff] [blame]16# Use a pipe to signal readiness
Victor Hsieh90b7b002021-11-30 14:21:06 -0800[diff] [blame^]17# TODO(b/205750213): Removed odrefresh when we run odrefresh in the VM
Alan Stokesad6e1262021-10-04 09:34:30 +0100[diff] [blame]18allow compos_fd_server odrefresh:fifo_file write;
Victor Hsieh90b7b002021-11-30 14:21:06 -0800[diff] [blame^]19allow compos_fd_server composd:fifo_file write;
Alan Stokesad6e1262021-10-04 09:34:30 +0100[diff] [blame]20
Alan Stokesec4a90f2021-09-21 13:32:24 +0100[diff] [blame]21# TODO(b/196109647) - remove this when no longer needed by minijail
22allow compos_fd_server odrefresh:fifo_file read;
Victor Hsieh90b7b002021-11-30 14:21:06 -0800[diff] [blame^]23allow compos_fd_server composd:fifo_file read;
Alan Stokesec4a90f2021-09-21 13:32:24 +0100[diff] [blame]24
25# Create a listening vsock for the VM to connect back to
26allow compos_fd_server self:vsock_socket { create_socket_perms_no_ioctl listen accept };
27
Victor Hsieh90b7b002021-11-30 14:21:06 -0800[diff] [blame^]28# Only composd and odrefresh can enter the domain via exec
29# TODO(b/209008712): Remove odrefresh once migration is done.
30neverallow { domain -composd -odrefresh } compos_fd_server:process transition;
Alan Stokesec4a90f2021-09-21 13:32:24 +0100[diff] [blame]31neverallow * compos_fd_server:process dyntransition;