| Anton Hansson | e822545 | 2019-11-25 13:10:10 +0000 | [diff] [blame] | 1 | |
| 2 | # Domain for derive_sdk |
| 3 | type derive_sdk, domain, coredomain; |
| 4 | type derive_sdk_exec, system_file_type, exec_type, file_type; |
| 5 | init_daemon_domain(derive_sdk) |
| 6 | |
| 7 | # Read /apex |
| 8 | allow derive_sdk apex_mnt_dir:dir r_dir_perms; |
| Jooyung Han | b6211b8 | 2023-05-31 17:51:14 +0900 | [diff] [blame] | 9 | allow derive_sdk vendor_apex_metadata_file:dir r_dir_perms; |
| Anton Hansson | e822545 | 2019-11-25 13:10:10 +0000 | [diff] [blame] | 10 | |
| 11 | # Prop rules: writable by derive_sdk, readable by bootclasspath (apps) |
| Anton Hansson | b841335 | 2020-01-06 17:29:13 +0000 | [diff] [blame] | 12 | set_prop(derive_sdk, module_sdkextensions_prop) |
| 13 | neverallow { domain -init -derive_sdk } module_sdkextensions_prop:property_service set; |
| MÃ¥rten Kongstad | 098e909 | 2022-09-20 14:19:30 +0200 | [diff] [blame] | 14 | |
| 15 | # Allow derive_sdk to write data back to dumpstate when forked from dumpstate. |
| 16 | # The shell_data_file permissions are needed when a bugreport is taken: |
| 17 | # dumpstate will redirect its stdout to a temporary shell_data_file:file, and |
| 18 | # this makes derive_sdk append to that file. |
| 19 | allow derive_sdk dumpstate:fd use; |
| 20 | allow derive_sdk dumpstate:unix_stream_socket { read write }; |
| 21 | allow derive_sdk shell_data_file:file { getattr append read write }; |