57346a0566
Add rights to create and install fsverity data. Bug: 125474642 Test: m Change-Id: I752c40c7b396b2da082cb17641702a2c5c11b9c3
39 lines
1.3 KiB
Text
39 lines
1.3 KiB
Text
# ART APEX preinstall.
|
|
#
|
|
|
|
type art_apex_preinstall, domain, coredomain;
|
|
type art_apex_preinstall_exec, system_file_type, exec_type, file_type;
|
|
|
|
# /dev/zero
|
|
allow art_apex_preinstall apexd:fd use;
|
|
|
|
# Create temp dirs and files under /data/ota.
|
|
allow art_apex_preinstall ota_data_file:dir create_dir_perms;
|
|
allow art_apex_preinstall ota_data_file:file create_file_perms;
|
|
# We mount /data/ota/dalvik-cache over /data/dalvik-cache in our
|
|
# mount namespace.
|
|
allow art_apex_preinstall dalvikcache_data_file:dir { r_dir_perms mounton };
|
|
allow art_apex_preinstall self:capability sys_admin;
|
|
|
|
# Script helpers.
|
|
allow art_apex_preinstall shell_exec:file rx_file_perms;
|
|
allow art_apex_preinstall toolbox_exec:file rx_file_perms;
|
|
|
|
# Execute subscripts in the same domain.
|
|
allow art_apex_preinstall art_apex_preinstall_exec:file execute_no_trans;
|
|
|
|
# Run dex2oat.
|
|
domain_auto_trans(art_apex_preinstall, dex2oat_exec, dex2oat)
|
|
|
|
# Fsverity in the same domain.
|
|
allow art_apex_preinstall system_file:file execute_no_trans;
|
|
# Fsverity work.
|
|
allowxperm art_apex_preinstall ota_data_file:file ioctl {
|
|
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
|
|
};
|
|
|
|
allow art_apex_preinstall kernel:key search;
|
|
# For testing purposes, allow keys installed with su.
|
|
userdebug_or_eng(`
|
|
allow art_apex_preinstall su:key search;
|
|
')
|