2017-03-23 22:27:32 +01:00
|
|
|
typeattribute kernel coredomain;
|
|
|
|
|
2016-07-22 22:13:11 +02:00
|
|
|
domain_auto_trans(kernel, init_exec, init)
|
2020-12-03 06:15:08 +01:00
|
|
|
domain_auto_trans(kernel, snapuserd_exec, snapuserd)
|
2019-03-18 18:54:42 +01:00
|
|
|
|
|
|
|
# Allow the kernel to read otapreopt_chroot's file descriptors and files under
|
|
|
|
# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex.
|
|
|
|
allow kernel otapreopt_chroot:fd use;
|
|
|
|
allow kernel postinstall_file:file read;
|
2020-12-03 06:15:08 +01:00
|
|
|
|
|
|
|
# The following sections are for the transition period during a Virtual A/B
|
|
|
|
# OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct
|
|
|
|
# context, and with properly labelled devices. This must be done before
|
|
|
|
# enabling enforcement, eg, in permissive mode while still in the kernel
|
|
|
|
# context.
|
|
|
|
allow kernel tmpfs:blk_file { getattr relabelfrom };
|
|
|
|
allow kernel tmpfs:chr_file { getattr relabelfrom };
|
|
|
|
allow kernel tmpfs:lnk_file { getattr relabelfrom };
|
|
|
|
allow kernel tmpfs:dir { open read relabelfrom };
|
|
|
|
|
|
|
|
allow kernel block_device:blk_file relabelto;
|
|
|
|
allow kernel block_device:lnk_file relabelto;
|
|
|
|
allow kernel dm_device:chr_file relabelto;
|
|
|
|
allow kernel dm_device:blk_file relabelto;
|
|
|
|
allow kernel dm_user_device:dir { read open search relabelto };
|
|
|
|
allow kernel dm_user_device:chr_file relabelto;
|
|
|
|
allow kernel kmsg_device:chr_file relabelto;
|
|
|
|
allow kernel null_device:chr_file relabelto;
|
|
|
|
allow kernel random_device:chr_file relabelto;
|
|
|
|
allow kernel snapuserd_exec:file relabelto;
|
|
|
|
|
|
|
|
allow kernel kmsg_device:chr_file write;
|
2021-01-14 08:27:50 +01:00
|
|
|
allow kernel gsid:fd use;
|
2021-12-03 15:21:54 +01:00
|
|
|
|
2022-07-26 23:26:01 +02:00
|
|
|
dontaudit kernel metadata_file:dir search;
|
|
|
|
dontaudit kernel ota_metadata_file:dir rw_dir_perms;
|
|
|
|
dontaudit kernel sysfs:dir r_dir_perms;
|
|
|
|
dontaudit kernel sysfs:file { open read write };
|
|
|
|
dontaudit kernel sysfs:chr_file { open read write };
|
|
|
|
dontaudit kernel dm_device:chr_file ioctl;
|
|
|
|
dontaudit kernel self:capability { sys_admin setgid mknod };
|
|
|
|
|
|
|
|
dontaudit kernel dm_user_device:dir { write add_name };
|
|
|
|
dontaudit kernel dm_user_device:chr_file { create setattr };
|
|
|
|
dontaudit kernel tmpfs:lnk_file read;
|
|
|
|
dontaudit kernel tmpfs:blk_file { open read };
|