# ART APEX postinstall.
#

type art_apex_postinstall, domain, coredomain;
type art_apex_postinstall_exec, system_file_type, exec_type, file_type;

# /dev/zero
allow art_apex_postinstall apexd:fd use;

# Read temp dirs and files. Move directories.
allow art_apex_postinstall ota_data_file:dir { r_dir_perms write rename remove_name relabelfrom reparent };
allow art_apex_postinstall ota_data_file:file { r_file_perms relabelfrom };
# We're deleting the old /data/dalvik-cache/* and move the new ones
# over.
allow art_apex_postinstall dalvikcache_data_file:dir { create_dir_perms relabelto };
allow art_apex_postinstall dalvikcache_data_file:file { r_file_perms unlink relabelto };

# Required for relabel.
allow art_apex_postinstall file_contexts_file:file r_file_perms;

# Script helpers.
allow art_apex_postinstall shell_exec:file rx_file_perms;
allow art_apex_postinstall toolbox_exec:file rx_file_perms;

# Fsverity in the same domain.
allow art_apex_postinstall system_file:file execute_no_trans;
# Fsverity work.
allowxperm art_apex_postinstall ota_data_file:file ioctl {
  FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
};

allow art_apex_postinstall kernel:key search;
# For testing purposes, allow keys installed with su.
userdebug_or_eng(`
  allow art_apex_postinstall su:key search;
')