67e14adba6
Add rights to check and enable fsverity data. Bug: 125474642 Test: m Change-Id: I35ce4d6ac3db5b00d35860033a5751de26acf17c
36 lines
1.3 KiB
Text
36 lines
1.3 KiB
Text
# ART APEX postinstall.
|
|
#
|
|
|
|
type art_apex_postinstall, domain, coredomain;
|
|
type art_apex_postinstall_exec, system_file_type, exec_type, file_type;
|
|
|
|
# /dev/zero
|
|
allow art_apex_postinstall apexd:fd use;
|
|
|
|
# Read temp dirs and files. Move directories.
|
|
allow art_apex_postinstall ota_data_file:dir { r_dir_perms write rename remove_name relabelfrom reparent };
|
|
allow art_apex_postinstall ota_data_file:file { r_file_perms relabelfrom };
|
|
# We're deleting the old /data/dalvik-cache/* and move the new ones
|
|
# over.
|
|
allow art_apex_postinstall dalvikcache_data_file:dir { create_dir_perms relabelto };
|
|
allow art_apex_postinstall dalvikcache_data_file:file { r_file_perms unlink relabelto };
|
|
|
|
# Required for relabel.
|
|
allow art_apex_postinstall file_contexts_file:file r_file_perms;
|
|
|
|
# Script helpers.
|
|
allow art_apex_postinstall shell_exec:file rx_file_perms;
|
|
allow art_apex_postinstall toolbox_exec:file rx_file_perms;
|
|
|
|
# Fsverity in the same domain.
|
|
allow art_apex_postinstall system_file:file execute_no_trans;
|
|
# Fsverity work.
|
|
allowxperm art_apex_postinstall ota_data_file:file ioctl {
|
|
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
|
|
};
|
|
|
|
allow art_apex_postinstall kernel:key search;
|
|
# For testing purposes, allow keys installed with su.
|
|
userdebug_or_eng(`
|
|
allow art_apex_postinstall su:key search;
|
|
')
|