Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 9f28f8b360964c3b115c945d1e886e536688a63d / . / private / otapreopt_chroot.te
blob: 608ed9e54cc9da30a62e19e71d35e27d9085291f [file] [log] [blame]
Alex Klyubinf5446eb2017-03-23 14:27:32 -0700[diff] [blame]1typeattribute otapreopt_chroot coredomain;
2
Roland Levillain9f28f8b2019-01-22 17:56:05 +0000[diff] [blame^]3# Allow to transition to postinstall_dexopt, to run otapreopt in its own sandbox.
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]4domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
Roland Levillain0a6c2d02019-01-15 17:36:47 +0000[diff] [blame]5
6# Allow otapreopt_chroot to create loop devices with /dev/loop-control.
7allow otapreopt_chroot loop_control_device:chr_file rw_file_perms;
8# Allow otapreopt_chroot to access loop devices.
9allow otapreopt_chroot loop_device:blk_file rw_file_perms;
10allowxperm otapreopt_chroot loop_device:blk_file ioctl {
11 LOOP_GET_STATUS64
12 LOOP_SET_STATUS64
13 LOOP_SET_FD
14 LOOP_SET_BLOCK_SIZE
15 LOOP_SET_DIRECT_IO
16 LOOP_CLR_FD
17 BLKFLSBUF
18};
19
20# Allow otapreopt_chroot to configure read-ahead of loop devices.
21allow otapreopt_chroot sysfs_loop:dir r_dir_perms;
22allow otapreopt_chroot sysfs_loop:file rw_file_perms;
23
24# Allow otapreopt_chroot to mount a tmpfs filesystem in /postinstall/apex.
25allow otapreopt_chroot tmpfs:filesystem mount;
26# Allow otapreopt_chroot to manipulate the tmpfs filesystem mounted in /postinstall/apex.
27allow otapreopt_chroot tmpfs:dir create_dir_perms;
28# Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
29allow otapreopt_chroot tmpfs:dir mounton;
Roland Levillain7094d4f2019-01-21 15:01:26 +0000[diff] [blame]30
Roland Levillain66fcb982019-01-25 12:59:47 +0000[diff] [blame]31# Allow otapreopt_chroot to access /dev/block (needed to detach loop
32# devices used by ext4 images from APEX packages).
Roland Levillain7094d4f2019-01-21 15:01:26 +0000[diff] [blame]33allow otapreopt_chroot block_device:dir r_dir_perms;