75806ef3c5
Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.
Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
<(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
26 lines
877 B
Text
26 lines
877 B
Text
typeattribute idmap coredomain;
|
|
|
|
init_daemon_domain(idmap)
|
|
|
|
# Allow read + write access to /data/resource-cache
|
|
allow idmap resourcecache_data_file:file create_file_perms;
|
|
allow idmap resourcecache_data_file:dir rw_dir_perms;
|
|
|
|
# Open and read from target and overlay apk files passed by argument.
|
|
allow idmap apk_data_file:file r_file_perms;
|
|
allow idmap apk_data_file:dir search;
|
|
|
|
# Allow /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
|
|
allow idmap { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
|
|
allow idmap { apk_tmp_file apk_private_tmp_file }:dir search;
|
|
|
|
# Allow apps access to /vendor/app
|
|
r_dir_file(idmap, vendor_app_file)
|
|
|
|
# Allow apps access to /vendor/overlay
|
|
r_dir_file(idmap, vendor_overlay_file)
|
|
|
|
# Allow the idmap2d binary to register as a service and communicate via AIDL
|
|
binder_use(idmap)
|
|
binder_service(idmap)
|
|
add_service(idmap, idmap_service)
|