platform_system_sepolicy/prebuilts/api/29.0/public/idmap.te
Tri Vo 336d0fed4e Reland "Fake 29.0 sepolicy prebuilts"
I took current AOSP policy as base, then removed sepolicy so that the
set of type and attributes was a subset of types and attributes in Q
sepolicy, with exception of those that have not yet been cleand up in
current AOSP:

mediaswcodec_server
netd_socket
mediaextractor_update_service
thermalserviced
thermalserviced_exec

Bug: 133196056
Test: n/a
Change-Id: I863429d61d3fad0272c1d3f1e429cd997513a74a
Merged-In: I3e091652fa8d1757b1f71f7559186d5b32f000d5
2019-06-01 17:20:18 -07:00

30 lines
1.1 KiB
Text

# idmap, when executed by installd
type idmap, domain;
type idmap_exec, system_file_type, exec_type, file_type;
# TODO remove /system/bin/idmap and the link between idmap and installd (b/118711077)
# Use open file to /data/resource-cache file inherited from installd.
allow idmap installd:fd use;
allow idmap resourcecache_data_file:file create_file_perms;
allow idmap resourcecache_data_file:dir rw_dir_perms;
# Ignore reading /proc/<pid>/maps after a fork.
dontaudit idmap installd:file read;
# Open and read from target and overlay apk files passed by argument.
allow idmap apk_data_file:file r_file_perms;
allow idmap apk_data_file:dir search;
# Allow /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
allow idmap { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
allow idmap { apk_tmp_file apk_private_tmp_file }:dir search;
# Allow apps access to /vendor/app
r_dir_file(idmap, vendor_app_file)
# Allow apps access to /vendor/overlay
r_dir_file(idmap, vendor_overlay_file)
# Allow the idmap2d binary to register as a service and communicate via AIDL
binder_use(idmap)
add_service(idmap, idmap_service)