| Andreas Gampe | ae127d8 | 2019-02-07 16:26:00 -0800 | [diff] [blame] | 1 | # ART APEX preinstall. |
| 2 | # |
| 3 | |
| 4 | type art_apex_preinstall, domain, coredomain; |
| 5 | type art_apex_preinstall_exec, system_file_type, exec_type, file_type; |
| 6 | |
| Andreas Gampe | 15e0245 | 2019-03-11 11:01:11 -0700 | [diff] [blame] | 7 | # /system/bin/sh (see b/126787589). |
| Andreas Gampe | ae127d8 | 2019-02-07 16:26:00 -0800 | [diff] [blame] | 8 | allow art_apex_preinstall apexd:fd use; |
| 9 | |
| 10 | # Create temp dirs and files under /data/ota. |
| 11 | allow art_apex_preinstall ota_data_file:dir create_dir_perms; |
| 12 | allow art_apex_preinstall ota_data_file:file create_file_perms; |
| 13 | # We mount /data/ota/dalvik-cache over /data/dalvik-cache in our |
| 14 | # mount namespace. |
| 15 | allow art_apex_preinstall dalvikcache_data_file:dir { r_dir_perms mounton }; |
| 16 | allow art_apex_preinstall self:capability sys_admin; |
| 17 | |
| 18 | # Script helpers. |
| 19 | allow art_apex_preinstall shell_exec:file rx_file_perms; |
| 20 | allow art_apex_preinstall toolbox_exec:file rx_file_perms; |
| 21 | |
| 22 | # Execute subscripts in the same domain. |
| 23 | allow art_apex_preinstall art_apex_preinstall_exec:file execute_no_trans; |
| 24 | |
| 25 | # Run dex2oat. |
| 26 | domain_auto_trans(art_apex_preinstall, dex2oat_exec, dex2oat) |
| Andreas Gampe | 57346a0 | 2019-02-12 14:56:22 -0800 | [diff] [blame] | 27 | |
| 28 | # Fsverity in the same domain. |
| 29 | allow art_apex_preinstall system_file:file execute_no_trans; |
| 30 | # Fsverity work. |
| 31 | allowxperm art_apex_preinstall ota_data_file:file ioctl { |
| 32 | FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY |
| 33 | }; |