6f73396d4c
As part of extending linkerconfig execution based on mount namespace and APEX status, linkerconfig will be executed from init with logwrap. To support this there should be an extra sepolicy to allow linkerconfig to be executed with logwrap. Bug: 144664390 Test: m -j passed & cuttlefish booted Change-Id: Ia8b970a1c396a769eff4b102afbf4d33802923cf
16 lines
594 B
Text
16 lines
594 B
Text
type linkerconfig, domain, coredomain;
|
|
type linkerconfig_exec, exec_type, file_type, system_file_type;
|
|
|
|
init_daemon_domain(linkerconfig)
|
|
|
|
## Read and write linkerconfig subdirectory.
|
|
allow linkerconfig linkerconfig_file:dir rw_dir_perms;
|
|
allow linkerconfig linkerconfig_file:file create_file_perms;
|
|
|
|
# Allow linkerconfig to log to the kernel.
|
|
allow linkerconfig kmsg_device:chr_file w_file_perms;
|
|
|
|
# Allow linkerconfig to be invoked with logwrapper from init.
|
|
allow linkerconfig devpts:chr_file { read write };
|
|
|
|
neverallow { domain -init -linkerconfig } linkerconfig_exec:file no_x_file_perms;
|