Merge "Introduce vendor_apex_metadata_file" am: 94dc202954 am: 1f47660fb4
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2606717 Change-Id: Id89d5266a07d0632bd4463ecb267e5d40a8ea19a Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Jooyung Han
Automerger Merge Worker
commit
3f9a296855
10 changed files with 17 additions and 3 deletions
|
|
@ -102,8 +102,8 @@ allow apexd staging_data_file:file { r_file_perms link };
|
||||||
allow apexd staging_data_file:file relabelto;
|
allow apexd staging_data_file:file relabelto;
|
||||||
|
|
||||||
# allow apexd to read files from /vendor/apex
|
# allow apexd to read files from /vendor/apex
|
||||||
allow apexd vendor_apex_file:dir r_dir_perms;
|
r_dir_file(apexd, vendor_apex_file)
|
||||||
allow apexd vendor_apex_file:file r_file_perms;
|
r_dir_file(apexd, vendor_apex_metadata_file)
|
||||||
|
|
||||||
# Unmount and mount filesystems
|
# Unmount and mount filesystems
|
||||||
allow apexd labeledfs:filesystem { mount unmount };
|
allow apexd labeledfs:filesystem { mount unmount };
|
||||||
|
|
|
||||||
|
|
@ -2544,7 +2544,10 @@
|
||||||
(typeattributeset vendor_apex_file_33_0 (vendor_apex_file))
|
(typeattributeset vendor_apex_file_33_0 (vendor_apex_file))
|
||||||
(typeattributeset vendor_app_file_33_0 (vendor_app_file))
|
(typeattributeset vendor_app_file_33_0 (vendor_app_file))
|
||||||
(typeattributeset vendor_cgroup_desc_file_33_0 (vendor_cgroup_desc_file))
|
(typeattributeset vendor_cgroup_desc_file_33_0 (vendor_cgroup_desc_file))
|
||||||
(typeattributeset vendor_configs_file_33_0 (vendor_configs_file))
|
(typeattributeset vendor_configs_file_33_0
|
||||||
|
( vendor_configs_file
|
||||||
|
vendor_apex_metadata_file
|
||||||
|
))
|
||||||
(typeattributeset vendor_data_file_33_0 (vendor_data_file vendor_userdir_file))
|
(typeattributeset vendor_data_file_33_0 (vendor_data_file vendor_userdir_file))
|
||||||
(typeattributeset vendor_default_prop_33_0 (vendor_default_prop))
|
(typeattributeset vendor_default_prop_33_0 (vendor_default_prop))
|
||||||
(typeattributeset vendor_file_33_0 (vendor_file))
|
(typeattributeset vendor_file_33_0 (vendor_file))
|
||||||
|
|
|
||||||
|
|
@ -6,6 +6,7 @@ init_daemon_domain(derive_classpath)
|
||||||
|
|
||||||
# Read /apex
|
# Read /apex
|
||||||
allow derive_classpath apex_mnt_dir:dir r_dir_perms;
|
allow derive_classpath apex_mnt_dir:dir r_dir_perms;
|
||||||
|
allow derive_classpath vendor_apex_metadata_file:dir r_dir_perms;
|
||||||
|
|
||||||
# Create /data/system/environ/classpath file
|
# Create /data/system/environ/classpath file
|
||||||
allow derive_classpath environ_system_data_file:dir rw_dir_perms;
|
allow derive_classpath environ_system_data_file:dir rw_dir_perms;
|
||||||
|
|
|
||||||
|
|
@ -6,6 +6,7 @@ init_daemon_domain(derive_sdk)
|
||||||
|
|
||||||
# Read /apex
|
# Read /apex
|
||||||
allow derive_sdk apex_mnt_dir:dir r_dir_perms;
|
allow derive_sdk apex_mnt_dir:dir r_dir_perms;
|
||||||
|
allow derive_sdk vendor_apex_metadata_file:dir r_dir_perms;
|
||||||
|
|
||||||
# Prop rules: writable by derive_sdk, readable by bootclasspath (apps)
|
# Prop rules: writable by derive_sdk, readable by bootclasspath (apps)
|
||||||
set_prop(derive_sdk, module_sdkextensions_prop)
|
set_prop(derive_sdk, module_sdkextensions_prop)
|
||||||
|
|
|
||||||
|
|
@ -609,6 +609,7 @@ full_treble_only(`
|
||||||
-same_process_hal_file
|
-same_process_hal_file
|
||||||
-vendor_app_file
|
-vendor_app_file
|
||||||
-vendor_apex_file
|
-vendor_apex_file
|
||||||
|
-vendor_apex_metadata_file
|
||||||
-vendor_configs_file
|
-vendor_configs_file
|
||||||
-vendor_service_contexts_file
|
-vendor_service_contexts_file
|
||||||
-vendor_framework_file
|
-vendor_framework_file
|
||||||
|
|
|
||||||
|
|
@ -19,6 +19,9 @@ allow linkerconfig apex_mnt_dir:dir r_dir_perms;
|
||||||
# Allow linkerconfig to read apex-info-list.xml
|
# Allow linkerconfig to read apex-info-list.xml
|
||||||
allow linkerconfig apex_info_file:file r_file_perms;
|
allow linkerconfig apex_info_file:file r_file_perms;
|
||||||
|
|
||||||
|
# Allow linkerconfig to read apex_manifest.pb file from vendor apex
|
||||||
|
r_dir_file(linkerconfig, vendor_apex_metadata_file)
|
||||||
|
|
||||||
# Allow linkerconfig to be called in the otapreopt_chroot
|
# Allow linkerconfig to be called in the otapreopt_chroot
|
||||||
allow linkerconfig otapreopt_chroot:fd use;
|
allow linkerconfig otapreopt_chroot:fd use;
|
||||||
allow linkerconfig postinstall_apex_mnt_dir:dir r_dir_perms;
|
allow linkerconfig postinstall_apex_mnt_dir:dir r_dir_perms;
|
||||||
|
|
|
||||||
|
|
@ -136,6 +136,7 @@ neverallow shell self:perf_event ~{ open read write kernel };
|
||||||
allow shell apex_info_file:file r_file_perms;
|
allow shell apex_info_file:file r_file_perms;
|
||||||
allow shell vendor_apex_file:file r_file_perms;
|
allow shell vendor_apex_file:file r_file_perms;
|
||||||
allow shell vendor_apex_file:dir r_dir_perms;
|
allow shell vendor_apex_file:dir r_dir_perms;
|
||||||
|
allow shell vendor_apex_metadata_file:dir r_dir_perms;
|
||||||
|
|
||||||
# Allow shell to read updated APEXes under /data/apex
|
# Allow shell to read updated APEXes under /data/apex
|
||||||
allow shell apex_data_file:dir search;
|
allow shell apex_data_file:dir search;
|
||||||
|
|
|
||||||
|
|
@ -258,6 +258,7 @@ allow zygote apex_info_file:file r_file_perms;
|
||||||
# preinstalled path of APEXes that contain runtime resource overlays for the 'android' package.
|
# preinstalled path of APEXes that contain runtime resource overlays for the 'android' package.
|
||||||
allow zygote vendor_apex_file:dir { getattr search };
|
allow zygote vendor_apex_file:dir { getattr search };
|
||||||
allow zygote vendor_apex_file:file { getattr };
|
allow zygote vendor_apex_file:file { getattr };
|
||||||
|
allow zygote vendor_apex_metadata_file:dir { search };
|
||||||
|
|
||||||
# Allow zygote to query for compression/features.
|
# Allow zygote to query for compression/features.
|
||||||
r_dir_file(zygote, sysfs_fs_f2fs)
|
r_dir_file(zygote, sysfs_fs_f2fs)
|
||||||
|
|
|
||||||
|
|
@ -381,6 +381,8 @@ type server_configurable_flags_data_file, file_type, data_file_type, core_data_f
|
||||||
type staging_data_file, file_type, data_file_type, core_data_file_type;
|
type staging_data_file, file_type, data_file_type, core_data_file_type;
|
||||||
# /vendor/apex
|
# /vendor/apex
|
||||||
type vendor_apex_file, vendor_file_type, file_type;
|
type vendor_apex_file, vendor_file_type, file_type;
|
||||||
|
# apex_manifest.pb in vendor apex
|
||||||
|
type vendor_apex_metadata_file, vendor_file_type, file_type;
|
||||||
# /data/system/shutdown-checkpoints
|
# /data/system/shutdown-checkpoints
|
||||||
type shutdown_checkpoints_system_data_file, file_type, data_file_type, core_data_file_type;
|
type shutdown_checkpoints_system_data_file, file_type, data_file_type, core_data_file_type;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1047,6 +1047,7 @@ define(`use_bootstrap_libs', `
|
||||||
define(`use_apex_info', `
|
define(`use_apex_info', `
|
||||||
allow $1 apex_mnt_dir:dir r_dir_perms;
|
allow $1 apex_mnt_dir:dir r_dir_perms;
|
||||||
allow $1 apex_info_file:file r_file_perms;
|
allow $1 apex_info_file:file r_file_perms;
|
||||||
|
r_dir_file($1, vendor_apex_metadata_file)
|
||||||
')
|
')
|
||||||
|
|
||||||
####################################
|
####################################
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue