e987dcff74
..which is inherited from microdroid_manager. Bug: 258760809 Test: atest MicrodroidHostTestCases MicrodroidTestApp Change-Id: I839a0e6b4702e811db58b0cc44dd3b599c10a0b8
42 lines
1.6 KiB
Text
42 lines
1.6 KiB
Text
# apkdmverity is a program that protects a signed APK file using dm-verity.
|
|
|
|
type apkdmverity, domain, coredomain;
|
|
type apkdmverity_exec, exec_type, file_type, system_file_type;
|
|
|
|
# apkdmverity is using bootstrap bionic
|
|
use_bootstrap_libs(apkdmverity)
|
|
|
|
# apkdmverity accesses "payload metadata disk" which points to
|
|
# a /dev/vd* block device file.
|
|
allow apkdmverity block_device:dir r_dir_perms;
|
|
allow apkdmverity block_device:lnk_file r_file_perms;
|
|
allow apkdmverity vd_device:blk_file r_file_perms;
|
|
|
|
# allow apkdmverity to create dm-verity devices
|
|
allow apkdmverity dm_device:{chr_file blk_file} rw_file_perms;
|
|
# sys_admin is required to access the device-mapper and mount
|
|
allow apkdmverity self:global_capability_class_set sys_admin;
|
|
|
|
# allow apkdmverity to create loop devices with /dev/loop-control
|
|
allow apkdmverity loop_control_device:chr_file rw_file_perms;
|
|
|
|
# allow apkdmverity to read the roothash passed from microdroid_manager
|
|
get_prop(apkdmverity, microdroid_manager_roothash_prop)
|
|
|
|
# allow apkdmverity to access loop devices
|
|
allow apkdmverity loop_device:blk_file rw_file_perms;
|
|
allowxperm apkdmverity loop_device:blk_file ioctl {
|
|
LOOP_CONFIGURE
|
|
};
|
|
|
|
# allow apkdmverity to log to the kernel
|
|
allow apkdmverity kmsg_device:chr_file w_file_perms;
|
|
|
|
# allow apkdmverity to write kmsg_debug (stdio_to_kmsg) inherited from microdroid_manager.
|
|
allow apkdmverity kmsg_debug_device:chr_file w_file_perms;
|
|
|
|
# apkdmverity is forked from microdroid_manager
|
|
allow apkdmverity microdroid_manager:fd use;
|
|
|
|
# Only microdroid_manager can run apkdmverity
|
|
neverallow { domain -microdroid_manager } apkdmverity:process { transition dyntransition };
|