5c6a227ebb
Copy the final system sepolicy from oc-dev to its prebuilt dir corresponding to its version (26.0) so that we can uprev policy and start maintaining compatibility files, as well as use it for CTS tests targeting future platforms. Bug: 37896931 Test: none, this just copies the old policy. Change-Id: Ib069d505e42595c467e5d1164fb16fcb0286ab93
27 lines
1.2 KiB
Text
27 lines
1.2 KiB
Text
# otapreopt_slot
|
|
#
|
|
# This command set moves the artifact corresponding to the current slot
|
|
# from /data/ota to /data/dalvik-cache.
|
|
|
|
type otapreopt_slot, domain, mlstrustedsubject;
|
|
type otapreopt_slot_exec, exec_type, file_type;
|
|
|
|
|
|
# The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up
|
|
# the directory afterwards. For logging of aggregate size, we need getattr.
|
|
allow otapreopt_slot ota_data_file:dir { rw_dir_perms rename reparent rmdir };
|
|
allow otapreopt_slot ota_data_file:{ file lnk_file } getattr;
|
|
# (du follows symlinks)
|
|
allow otapreopt_slot ota_data_file:lnk_file read;
|
|
|
|
# Delete old content of the dalvik-cache.
|
|
allow otapreopt_slot dalvikcache_data_file:dir { add_name getattr open read remove_name rmdir search write };
|
|
allow otapreopt_slot dalvikcache_data_file:file { getattr unlink };
|
|
allow otapreopt_slot dalvikcache_data_file:lnk_file { getattr read unlink };
|
|
|
|
# Allow cppreopts to execute itself using #!/system/bin/sh
|
|
allow otapreopt_slot shell_exec:file rx_file_perms;
|
|
|
|
# Allow running the mv and rm/rmdir commands using otapreopt_slot permissions.
|
|
# Needed so we can move artifacts into /data/dalvik-cache/dalvik-cache.
|
|
allow otapreopt_slot toolbox_exec:file rx_file_perms;
|