1*e4a36f41SAndroid Build Coastguard Workertype snapshotctl, domain, coredomain; 2*e4a36f41SAndroid Build Coastguard Workertype snapshotctl_exec, system_file_type, exec_type, file_type; 3*e4a36f41SAndroid Build Coastguard Worker 4*e4a36f41SAndroid Build Coastguard Worker# Allow init to run snapshotctl and do auto domain transfer. 5*e4a36f41SAndroid Build Coastguard Workerinit_daemon_domain(snapshotctl); 6*e4a36f41SAndroid Build Coastguard Worker 7*e4a36f41SAndroid Build Coastguard Worker# Allow to start gsid service. 8*e4a36f41SAndroid Build Coastguard Workerset_prop(snapshotctl, ctl_gsid_prop) 9*e4a36f41SAndroid Build Coastguard Worker 10*e4a36f41SAndroid Build Coastguard Worker# Allow to talk to gsid. 11*e4a36f41SAndroid Build Coastguard Workerbinder_use(snapshotctl) 12*e4a36f41SAndroid Build Coastguard Workerallow snapshotctl gsi_service:service_manager find; 13*e4a36f41SAndroid Build Coastguard Workerbinder_call(snapshotctl, gsid) 14*e4a36f41SAndroid Build Coastguard Worker 15*e4a36f41SAndroid Build Coastguard Worker# Allow to create/read/write/delete OTA metadata files for snapshot status and COW file status. 16*e4a36f41SAndroid Build Coastguard Workerallow snapshotctl metadata_file:dir search; 17*e4a36f41SAndroid Build Coastguard Workerallow snapshotctl ota_metadata_file:dir rw_dir_perms; 18*e4a36f41SAndroid Build Coastguard Workerallow snapshotctl ota_metadata_file:file create_file_perms; 19*e4a36f41SAndroid Build Coastguard Worker 20*e4a36f41SAndroid Build Coastguard Worker# Allow to get A/B slot suffix from device tree or kernel cmdline. 21*e4a36f41SAndroid Build Coastguard Workerr_dir_file(snapshotctl, sysfs_dt_firmware_android); 22*e4a36f41SAndroid Build Coastguard Workerallow snapshotctl proc_cmdline:file r_file_perms; 23*e4a36f41SAndroid Build Coastguard Worker 24*e4a36f41SAndroid Build Coastguard Worker# Needed to (re-)map logical partitions. 25*e4a36f41SAndroid Build Coastguard Workerallow snapshotctl block_device:dir r_dir_perms; 26*e4a36f41SAndroid Build Coastguard Workerallow snapshotctl super_block_device:blk_file r_file_perms; 27*e4a36f41SAndroid Build Coastguard Worker 28*e4a36f41SAndroid Build Coastguard Worker# Interact with device-mapper to collapse snapshots. 29*e4a36f41SAndroid Build Coastguard Workerallow snapshotctl dm_device:chr_file rw_file_perms; 30*e4a36f41SAndroid Build Coastguard Worker 31*e4a36f41SAndroid Build Coastguard Worker# Needed to mutate device-mapper nodes. 32*e4a36f41SAndroid Build Coastguard Workerallow snapshotctl self:global_capability_class_set sys_admin; 33*e4a36f41SAndroid Build Coastguard Worker 34*e4a36f41SAndroid Build Coastguard Worker# Snapshotctl talk to boot control HAL to set merge status. 35*e4a36f41SAndroid Build Coastguard Workerhwbinder_use(snapshotctl) 36*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(snapshotctl, hal_bootctl) 37*e4a36f41SAndroid Build Coastguard Worker 38*e4a36f41SAndroid Build Coastguard Worker# Allow snapshotctl to write to statsd socket. 39*e4a36f41SAndroid Build Coastguard Workerunix_socket_send(snapshotctl, statsdw, statsd) 40*e4a36f41SAndroid Build Coastguard Worker 41*e4a36f41SAndroid Build Coastguard Worker# Logging 42*e4a36f41SAndroid Build Coastguard Workeruserdebug_or_eng(` 43*e4a36f41SAndroid Build Coastguard Worker allow snapshotctl snapshotctl_log_data_file:dir rw_dir_perms; 44*e4a36f41SAndroid Build Coastguard Worker allow snapshotctl snapshotctl_log_data_file:file create_file_perms; 45*e4a36f41SAndroid Build Coastguard Worker') 46