b6211b88cf
A new label for ./apex_manifest.pb and ./ entries in vendor apexes. This is read-allowed by a few system components which need to read "apex" in general. For example, linkerconfig needs to read apex_manifest.pb from all apexes including vendor apexes. Previously, these entries were labelled as system_file even for vendor apexes. Bug: 285075529 Test: m && launch_cvd Test: atest VendorApexHostTestsCases Change-Id: Icc234bf604e3cafe6da81d21db744abfaa524dcf
21 lines
925 B
Text
21 lines
925 B
Text
|
|
# Domain for derive_sdk
|
|
type derive_sdk, domain, coredomain;
|
|
type derive_sdk_exec, system_file_type, exec_type, file_type;
|
|
init_daemon_domain(derive_sdk)
|
|
|
|
# Read /apex
|
|
allow derive_sdk apex_mnt_dir:dir r_dir_perms;
|
|
allow derive_sdk vendor_apex_metadata_file:dir r_dir_perms;
|
|
|
|
# Prop rules: writable by derive_sdk, readable by bootclasspath (apps)
|
|
set_prop(derive_sdk, module_sdkextensions_prop)
|
|
neverallow { domain -init -derive_sdk } module_sdkextensions_prop:property_service set;
|
|
|
|
# Allow derive_sdk to write data back to dumpstate when forked from dumpstate.
|
|
# The shell_data_file permissions are needed when a bugreport is taken:
|
|
# dumpstate will redirect its stdout to a temporary shell_data_file:file, and
|
|
# this makes derive_sdk append to that file.
|
|
allow derive_sdk dumpstate:fd use;
|
|
allow derive_sdk dumpstate:unix_stream_socket { read write };
|
|
allow derive_sdk shell_data_file:file { getattr append read write };
|