1typeattribute profman coredomain; 2 3# Allow profman to read APKs and profile files next to them by FDs passed from 4# other programs. In addition, allow profman to acquire flocks on those files. 5allow profman { 6 system_file 7 apk_data_file 8 vendor_app_file 9}:file { getattr read map lock }; 10 11# Allow profman to use file descriptors passed from privileged programs. 12allow profman { artd installd }:fd use; 13 14# Allow profman to read from memfd created by artd. 15# profman needs to read the embedded profile that artd extracts from an APK, 16# which is passed by a memfd. 17allow profman artd_tmpfs:file { getattr read map lock }; 18