tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge changes from topic "artd-sepolicy-b254013425" am: d09a14baee am: 33426b1423

Browse source 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2369929

Change-Id: I5d03241b079692da856025a33b24013728fa0e57
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Jiakai Zhang 2023-01-04 19:00:52 +00:00 committed by Automerger Merge Worker
commit 923a805f7c
1 changed files with 23 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
private/artd.te
View file

@ -71,8 +71,9 @@ allow artd apex_info_file:file r_file_perms;
# profile files to the system or apps.
allow artd self:global_capability_class_set { dac_override dac_read_search fowner chown };
# Read/write access to profiles (/data/misc/profiles/{ref,cur}/...).
allow artd user_profile_root_file:dir { getattr search };
# Read/write access to profiles (/data/misc/profiles/{ref,cur}/...). Also allow
# scanning /data/misc/profiles/cur, for cleaning up obsolete managed files.
allow artd user_profile_root_file:dir r_dir_perms;
allow artd user_profile_data_file:dir rw_dir_perms;
allow artd user_profile_data_file:file create_file_perms;
@ -94,6 +95,26 @@ allow artd seapp_contexts_file:file r_file_perms;
# Check validity of SELinux context, for restorecon.
selinux_check_context(artd)
# Allow scanning /, for cleaning up obsolete managed files.
allow artd rootfs:dir r_dir_perms;
# Allow scanning /data, for cleaning up obsolete managed files.
allow artd system_data_root_file:dir r_dir_perms;
# Allow scanning /mnt, for cleaning up obsolete managed files.
allow artd tmpfs:dir r_dir_perms;
# Allow scanning /mnt/expand, for cleaning up obsolete managed files.
allow artd mnt_expand_file:dir r_dir_perms;
# Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}, for cleaning
# up obsolete managed files.
allow artd system_userdir_file:dir r_dir_perms;
# Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id> and
# /mnt/expand/<volume-uuid>, for cleaning up obsolete managed files.
allow artd system_data_file:dir r_dir_perms;
# Never allow running other binaries without a domain transition.
# The only exception is art_exec. It is allowed to use the artd domain because
# it is a thin wrapper that executes other binaries on behalf of artd.