Blame - private/composd.te - android_system_sepolicy

blob: 96991c6fea255ab98beb16755b7b05dc4be6152e [file] [log] [blame]

Alan Stokes	d376e20	2021-09-09 17:08:15 +0100	[diff] [blame]	1	type composd, domain, coredomain;
				2	type composd_exec, system_file_type, exec_type, file_type;
				3
Alan Stokes	8788f7a	2021-11-19 17:33:34 +0000	[diff] [blame]	4	# Host dynamic AIDL services
Alan Stokes	d376e20	2021-09-09 17:08:15 +0100	[diff] [blame]	5	init_daemon_domain(composd)
				6	binder_use(composd)
				7	add_service(composd, compos_service)
				8
Alan Stokes	9112c9a	2021-10-19 16:50:24 +0100	[diff] [blame]	9	# Call back into system server
				10	binder_call(composd, system_server)
				11
Alan Stokes	d376e20	2021-09-09 17:08:15 +0100	[diff] [blame]	12	# Start a VM
				13	virtualizationservice_use(composd)
				14
Alan Stokes	2914610	2021-12-16 14:31:14 +0000	[diff] [blame]	15	# Prepare staging directory for odrefresh
Victor Hsieh	33aa1a3	2021-12-03 16:46:18 -0800	[diff] [blame]	16	allow composd apex_art_data_file:dir { create_dir_perms relabelfrom };
				17	allow composd apex_art_staging_data_file:dir { create_dir_perms relabelto };
Alan Stokes	ce6e298	2021-12-21 14:43:39 +0000	[diff] [blame]	18	allow composd apex_art_staging_data_file:file { getattr unlink };
Victor Hsieh	33aa1a3	2021-12-03 16:46:18 -0800	[diff] [blame]	19
Victor Hsieh	a115d49	2023-03-14 17:43:09 -0700	[diff] [blame^]	20	# Delete files or enable fs-verity in the odrefresh target directory
				21	allow composd apex_art_data_file:file { open ioctl read unlink write };
				22	allowxperm composd apex_art_data_file:file ioctl FS_IOC_ENABLE_VERITY;
Alan Stokes	2914610	2021-12-16 14:31:14 +0000	[diff] [blame]	23
Alan Stokes	d376e20	2021-09-09 17:08:15 +0100	[diff] [blame]	24	# Access our APEX data files
				25	allow composd apex_module_data_file:dir search;
				26	allow composd apex_compos_data_file:dir create_dir_perms;
				27	allow composd apex_compos_data_file:file create_file_perms;
Alan Stokes	d3438b0	2021-09-15 14:28:12 +0100	[diff] [blame]	28
Victor Hsieh	90b7b00	2021-11-30 14:21:06 -0800	[diff] [blame]	29	# Run fd_server in its own domain, and send SIGTERM when finished.
				30	domain_auto_trans(composd, fd_server_exec, compos_fd_server)
				31	allow composd compos_fd_server:process signal;
				32
Victor Hsieh	1f117c26	2021-12-01 15:25:23 -0800	[diff] [blame]	33	# Read ART's properties
				34	get_prop(composd, dalvik_config_prop)
Victor Hsieh	3423bc4	2022-05-10 16:14:30 -0700	[diff] [blame]	35	get_prop(composd, device_config_runtime_native_boot_prop)
Alan Stokes	2914610	2021-12-16 14:31:14 +0000	[diff] [blame]	36
				37	# We never create any artifact files directly
Victor Hsieh	a115d49	2023-03-14 17:43:09 -0700	[diff] [blame^]	38	neverallow composd apex_art_data_file:file create;