1typeattribute kernel coredomain; 2 3domain_auto_trans(kernel, init_exec, init) 4domain_auto_trans(kernel, snapuserd_exec, snapuserd) 5 6# Allow the kernel to read otapreopt_chroot's file descriptors and files under 7# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex. 8allow kernel otapreopt_chroot:fd use; 9allow kernel postinstall_file:file read; 10 11# The following sections are for the transition period during a Virtual A/B 12# OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct 13# context, and with properly labelled devices. This must be done before 14# enabling enforcement, eg, in permissive mode while still in the kernel 15# context. 16allow kernel tmpfs:blk_file { getattr relabelfrom }; 17allow kernel tmpfs:chr_file { getattr relabelfrom }; 18allow kernel tmpfs:lnk_file { getattr relabelfrom }; 19allow kernel tmpfs:dir { open read relabelfrom }; 20 21allow kernel block_device:blk_file relabelto; 22allow kernel block_device:lnk_file relabelto; 23allow kernel dm_device:chr_file relabelto; 24allow kernel dm_device:blk_file relabelto; 25allow kernel dm_user_device:dir { read open search relabelto }; 26allow kernel dm_user_device:chr_file relabelto; 27allow kernel kmsg_device:chr_file relabelto; 28allow kernel null_device:chr_file relabelto; 29allow kernel random_device:chr_file relabelto; 30allow kernel snapuserd_exec:file relabelto; 31 32allow kernel kmsg_device:chr_file write; 33allow kernel gsid:fd use; 34 35dontaudit kernel metadata_file:dir search; 36dontaudit kernel ota_metadata_file:dir rw_dir_perms; 37dontaudit kernel sysfs:dir r_dir_perms; 38dontaudit kernel sysfs:file { open read write }; 39dontaudit kernel sysfs:chr_file { open read write }; 40dontaudit kernel dm_device:chr_file ioctl; 41dontaudit kernel self:capability { sys_admin setgid mknod }; 42 43dontaudit kernel dm_user_device:dir { write add_name }; 44dontaudit kernel dm_user_device:chr_file { create setattr }; 45dontaudit kernel tmpfs:lnk_file read; 46dontaudit kernel tmpfs:blk_file { open read }; 47 48# Some contexts are changed before the device is flipped into enforcing mode 49# during the setup of Apex sepolicy. These denials can be suppressed since 50# the permissions should not be allowed after the device is flipped into 51# enforcing mode. 52dontaudit kernel device:dir { open read relabelto }; 53dontaudit kernel tmpfs:file { getattr open read relabelfrom }; 54dontaudit kernel { 55 file_contexts_file 56 hwservice_contexts_file 57 mac_perms_file 58 property_contexts_file 59 seapp_contexts_file 60 sepolicy_test_file 61 service_contexts_file 62}:file relabelto; 63