Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / ea38d6925d3a5b8d3e9839caf76f4c3cb9e4cb08 / . / private / compos_fd_server.te
blob: 01504eec8dd3686b14407a0369bdd2cdf9fa1380 [file] [log] [blame]
Alan Stokesec4a90f2021-09-21 13:32:24 +0100[diff] [blame]1# Make ART inputs and outputs available to the CompOS VM
2type compos_fd_server, domain, coredomain;
3
Victor Hsieh90b7b002021-11-30 14:21:06 -0800[diff] [blame]4# Allow access to open fds inherited from composd
5allow compos_fd_server composd:fd use;
6
Alan Stokes8dc78002021-12-14 13:30:23 +0000[diff] [blame]7# Allow creating new files and directories in the staging directory.
Victor Hsieh90b7b002021-11-30 14:21:06 -0800[diff] [blame]8allow compos_fd_server apex_art_staging_data_file:dir create_dir_perms;
9allow compos_fd_server apex_art_staging_data_file:file create_file_perms;
10
Alan Stokes8dc78002021-12-14 13:30:23 +0000[diff] [blame]11# Allow creating new files and directories in the artifacts directory.
12allow compos_fd_server apex_art_data_file:dir create_dir_perms;
13allow compos_fd_server apex_art_data_file:file create_file_perms;
14
Alan Stokesad6e1262021-10-04 09:34:30 +0100[diff] [blame]15# Use a pipe to signal readiness
Victor Hsieh90b7b002021-11-30 14:21:06 -0800[diff] [blame]16allow compos_fd_server composd:fifo_file write;
Alan Stokesad6e1262021-10-04 09:34:30 +0100[diff] [blame]17
Alan Stokesec4a90f2021-09-21 13:32:24 +0100[diff] [blame]18# TODO(b/196109647) - remove this when no longer needed by minijail
Victor Hsieh90b7b002021-11-30 14:21:06 -0800[diff] [blame]19allow compos_fd_server composd:fifo_file read;
Alan Stokesec4a90f2021-09-21 13:32:24 +0100[diff] [blame]20
21# Create a listening vsock for the VM to connect back to
22allow compos_fd_server self:vsock_socket { create_socket_perms_no_ioctl listen accept };
23
Victor Hsiehea38d692022-01-24 12:15:07 -0800[diff] [blame^]24# Only composd can enter the domain via exec
25neverallow { domain -composd } compos_fd_server:process transition;
Alan Stokesec4a90f2021-09-21 13:32:24 +0100[diff] [blame]26neverallow * compos_fd_server:process dyntransition;