platform_system_sepolicy/private/art_apex_postinstall.te

# ART APEX postinstall.
#

type art_apex_postinstall, domain, coredomain;
type art_apex_postinstall_exec, system_file_type, exec_type, file_type;

# /system/bin/sh (see b/126787589).
allow art_apex_postinstall apexd:fd use;

# Read temp dirs and files. Move directories.
allow art_apex_postinstall ota_data_file:dir { r_dir_perms write rename remove_name relabelfrom reparent };
allow art_apex_postinstall ota_data_file:file { r_file_perms relabelfrom };
# We're deleting the old /data/dalvik-cache/* and move the new ones
# over.
allow art_apex_postinstall dalvikcache_data_file:dir { create_dir_perms relabelto };
allow art_apex_postinstall dalvikcache_data_file:file { r_file_perms unlink relabelto };

# Required for relabel.
allow art_apex_postinstall file_contexts_file:file r_file_perms;
allow art_apex_postinstall self:global_capability_class_set sys_admin;

# Script helpers.
allow art_apex_postinstall shell_exec:file rx_file_perms;
allow art_apex_postinstall toolbox_exec:file rx_file_perms;

# Fsverity in the same domain.
allow art_apex_postinstall system_file:file execute_no_trans;
# Fsverity work.
allowxperm art_apex_postinstall ota_data_file:file ioctl {
  FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
};
Sepolicy: Add base runtime APEX postinstall policies Add art_apex_postinstall domain that is allowed to move precreated AoT artifacts from /data/ota. Bug: 125474642 Test: m Change-Id: Id674e202737155a4ee31187f096d1dd655001fdd 2019-02-21 19:03:07 +01:00			`# ART APEX postinstall.`
			`#`

			`type art_apex_postinstall, domain, coredomain;`
			`type art_apex_postinstall_exec, system_file_type, exec_type, file_type;`

Sepolicy: Fix comment on apexd:fd use The file descriptors for /dev/zero are no longer open. However, a descriptor to the shell is still inherited. Update the comment. Bug: 126787589 Test: m Test: manual Change-Id: I0d4518d2ba771622ea969bbf02827db45788bc09 2019-03-11 19:01:11 +01:00			`# /system/bin/sh (see b/126787589).`
Sepolicy: Add base runtime APEX postinstall policies Add art_apex_postinstall domain that is allowed to move precreated AoT artifacts from /data/ota. Bug: 125474642 Test: m Change-Id: Id674e202737155a4ee31187f096d1dd655001fdd 2019-02-21 19:03:07 +01:00			`allow art_apex_postinstall apexd:fd use;`

			`# Read temp dirs and files. Move directories.`
			`allow art_apex_postinstall ota_data_file:dir { r_dir_perms write rename remove_name relabelfrom reparent };`
			`allow art_apex_postinstall ota_data_file:file { r_file_perms relabelfrom };`
			`# We're deleting the old /data/dalvik-cache/* and move the new ones`
			`# over.`
			`allow art_apex_postinstall dalvikcache_data_file:dir { create_dir_perms relabelto };`
			`allow art_apex_postinstall dalvikcache_data_file:file { r_file_perms unlink relabelto };`

			`# Required for relabel.`
			`allow art_apex_postinstall file_contexts_file:file r_file_perms;`
Sepolicy: Give sys_admin for relabel This requirement slipped through. Bug: 125474642 Test: m Test: manual Change-Id: I8b31bda519632a549574d3057bc49a158e796e2e 2019-03-12 18:49:16 +01:00			`allow art_apex_postinstall self:global_capability_class_set sys_admin;`
Sepolicy: Add base runtime APEX postinstall policies Add art_apex_postinstall domain that is allowed to move precreated AoT artifacts from /data/ota. Bug: 125474642 Test: m Change-Id: Id674e202737155a4ee31187f096d1dd655001fdd 2019-02-21 19:03:07 +01:00
			`# Script helpers.`
			`allow art_apex_postinstall shell_exec:file rx_file_perms;`
			`allow art_apex_postinstall toolbox_exec:file rx_file_perms;`
Sepolicy: Add runtime APEX postinstall fsverity permissions Add rights to check and enable fsverity data. Bug: 125474642 Test: m Change-Id: I35ce4d6ac3db5b00d35860033a5751de26acf17c 2019-03-01 01:51:12 +01:00
			`# Fsverity in the same domain.`
			`allow art_apex_postinstall system_file:file execute_no_trans;`
			`# Fsverity work.`
			`allowxperm art_apex_postinstall ota_data_file:file ioctl {`
			`FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY`
			`};`