1# ART APEX preinstall. 2# 3 4type art_apex_preinstall, domain, coredomain; 5type art_apex_preinstall_exec, system_file_type, exec_type, file_type; 6 7# /system/bin/sh (see b/126787589). 8allow art_apex_preinstall apexd:fd use; 9 10# Create temp dirs and files under /data/ota. 11allow art_apex_preinstall ota_data_file:dir create_dir_perms; 12allow art_apex_preinstall ota_data_file:file create_file_perms; 13# We mount /data/ota/dalvik-cache over /data/dalvik-cache in our 14# mount namespace. 15allow art_apex_preinstall dalvikcache_data_file:dir { r_dir_perms mounton }; 16allow art_apex_preinstall self:capability sys_admin; 17 18# Script helpers. 19allow art_apex_preinstall shell_exec:file rx_file_perms; 20allow art_apex_preinstall toolbox_exec:file rx_file_perms; 21 22# Execute subscripts in the same domain. 23allow art_apex_preinstall art_apex_preinstall_exec:file execute_no_trans; 24 25# Run dex2oat. 26domain_auto_trans(art_apex_preinstall, dex2oat_exec, dex2oat) 27 28# Fsverity in the same domain. 29allow art_apex_preinstall system_file:file execute_no_trans; 30# Fsverity work. 31allowxperm art_apex_preinstall ota_data_file:file ioctl { 32 FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY 33}; 34