• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1typeattribute kernel coredomain;
2
3domain_auto_trans(kernel, init_exec, init)
4domain_auto_trans(kernel, snapuserd_exec, snapuserd)
5
6# Allow the kernel to read otapreopt_chroot's file descriptors and files under
7# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex.
8allow kernel otapreopt_chroot:fd use;
9allow kernel postinstall_file:file read;
10
11# The following sections are for the transition period during a Virtual A/B
12# OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct
13# context, and with properly labelled devices. This must be done before
14# enabling enforcement, eg, in permissive mode while still in the kernel
15# context.
16allow kernel tmpfs:blk_file { getattr relabelfrom };
17allow kernel tmpfs:chr_file { getattr relabelfrom };
18allow kernel tmpfs:lnk_file { getattr relabelfrom };
19allow kernel tmpfs:dir { open read relabelfrom };
20
21allow kernel block_device:blk_file relabelto;
22allow kernel block_device:lnk_file relabelto;
23allow kernel dm_device:chr_file relabelto;
24allow kernel dm_device:blk_file relabelto;
25allow kernel dm_user_device:dir { read open search relabelto };
26allow kernel dm_user_device:chr_file relabelto;
27allow kernel kmsg_device:chr_file relabelto;
28allow kernel null_device:chr_file relabelto;
29allow kernel random_device:chr_file relabelto;
30allow kernel snapuserd_exec:file relabelto;
31
32allow kernel kmsg_device:chr_file write;
33allow kernel gsid:fd use;
34
35dontaudit kernel metadata_file:dir search;
36dontaudit kernel ota_metadata_file:dir rw_dir_perms;
37dontaudit kernel sysfs:dir r_dir_perms;
38dontaudit kernel sysfs:file { open read write };
39dontaudit kernel sysfs:chr_file { open read write };
40dontaudit kernel dm_device:chr_file ioctl;
41dontaudit kernel self:capability { sys_admin setgid mknod };
42
43dontaudit kernel dm_user_device:dir { write add_name };
44dontaudit kernel dm_user_device:chr_file { create setattr };
45dontaudit kernel tmpfs:lnk_file read;
46dontaudit kernel tmpfs:blk_file { open read };
47
48# Some contexts are changed before the device is flipped into enforcing mode
49# during the setup of Apex sepolicy. These denials can be suppressed since
50# the permissions should not be allowed after the device is flipped into
51# enforcing mode.
52dontaudit kernel device:dir { open read relabelto };
53dontaudit kernel tmpfs:file { getattr open read relabelfrom };
54dontaudit kernel {
55  file_contexts_file
56  hwservice_contexts_file
57  mac_perms_file
58  property_contexts_file
59  seapp_contexts_file
60  sepolicy_test_file
61  service_contexts_file
62}:file relabelto;
63