c9a7de49ea
This reverts commit eee72d6cb3d9f5c6001192247861b28cb0787827. REASON: not needed. See the other CL in the same topic. Bug: 197358423 Test: m Change-Id: Ice0813ed9e349e37c83b163e2c21f17bb1105013
46 lines
1.5 KiB
Text
46 lines
1.5 KiB
Text
# TODO(b/193504816): move this to compos APEX
|
|
type compos, domain, coredomain, microdroid_payload;
|
|
type compos_exec, exec_type, file_type, system_file_type;
|
|
|
|
# Expose RPC Binder service over vsock
|
|
allow compos self:vsock_socket { create_socket_perms_no_ioctl listen accept };
|
|
|
|
# Allow using various binder services
|
|
binder_use(compos);
|
|
use_keystore(compos);
|
|
allow compos {
|
|
authfs_binder_service
|
|
dice_node_service
|
|
}:service_manager find;
|
|
binder_call(compos, authfs_service);
|
|
binder_call(compos, diced);
|
|
allow compos diced:diced { get_attestation_chain use_sign };
|
|
|
|
# Allow payloads to use and manage their keys
|
|
allow compos vm_payload_key:keystore2_key {
|
|
delete
|
|
get_info
|
|
manage_blob
|
|
rebind
|
|
use
|
|
};
|
|
|
|
# Read artifacts created by odrefresh and create signature files.
|
|
allow compos authfs_fuse:dir rw_dir_perms;
|
|
allow compos authfs_fuse:file create_file_perms;
|
|
|
|
# Allow locating the authfs mount directory.
|
|
allow compos authfs_data_file:dir search;
|
|
|
|
# Run derive_classpath in our domain
|
|
allow compos derive_classpath_exec:file rx_file_perms;
|
|
allow compos apex_mnt_dir:dir r_dir_perms;
|
|
# Ignore harmless denials on /proc/self/fd
|
|
dontaudit compos self:dir write;
|
|
# See b/35323867#comment3
|
|
dontaudit compos self:global_capability_class_set dac_override;
|
|
|
|
# Allow domain transition into odrefresh and dex2oat.
|
|
# TODO(b/209008712): Remove dex2oat once the migration is done.
|
|
domain_auto_trans(compos, odrefresh_exec, odrefresh)
|
|
domain_auto_trans(compos, dex2oat_exec, dex2oat)
|