xref: /aosp_15_r20/system/sepolicy/prebuilts/api/32.0/private/kernel.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1*e4a36f41SAndroid Build Coastguard Workertypeattribute kernel coredomain;
2*e4a36f41SAndroid Build Coastguard Worker
3*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(kernel, init_exec, init)
4*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(kernel, snapuserd_exec, snapuserd)
5*e4a36f41SAndroid Build Coastguard Worker
6*e4a36f41SAndroid Build Coastguard Worker# Allow the kernel to read otapreopt_chroot's file descriptors and files under
7*e4a36f41SAndroid Build Coastguard Worker# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex.
8*e4a36f41SAndroid Build Coastguard Workerallow kernel otapreopt_chroot:fd use;
9*e4a36f41SAndroid Build Coastguard Workerallow kernel postinstall_file:file read;
10*e4a36f41SAndroid Build Coastguard Worker
11*e4a36f41SAndroid Build Coastguard Worker# The following sections are for the transition period during a Virtual A/B
12*e4a36f41SAndroid Build Coastguard Worker# OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct
13*e4a36f41SAndroid Build Coastguard Worker# context, and with properly labelled devices. This must be done before
14*e4a36f41SAndroid Build Coastguard Worker# enabling enforcement, eg, in permissive mode while still in the kernel
15*e4a36f41SAndroid Build Coastguard Worker# context.
16*e4a36f41SAndroid Build Coastguard Workerallow kernel tmpfs:blk_file { getattr relabelfrom };
17*e4a36f41SAndroid Build Coastguard Workerallow kernel tmpfs:chr_file { getattr relabelfrom };
18*e4a36f41SAndroid Build Coastguard Workerallow kernel tmpfs:lnk_file { getattr relabelfrom };
19*e4a36f41SAndroid Build Coastguard Workerallow kernel tmpfs:dir { open read relabelfrom };
20*e4a36f41SAndroid Build Coastguard Worker
21*e4a36f41SAndroid Build Coastguard Workerallow kernel block_device:blk_file relabelto;
22*e4a36f41SAndroid Build Coastguard Workerallow kernel block_device:lnk_file relabelto;
23*e4a36f41SAndroid Build Coastguard Workerallow kernel dm_device:chr_file relabelto;
24*e4a36f41SAndroid Build Coastguard Workerallow kernel dm_device:blk_file relabelto;
25*e4a36f41SAndroid Build Coastguard Workerallow kernel dm_user_device:dir { read open search relabelto };
26*e4a36f41SAndroid Build Coastguard Workerallow kernel dm_user_device:chr_file relabelto;
27*e4a36f41SAndroid Build Coastguard Workerallow kernel kmsg_device:chr_file relabelto;
28*e4a36f41SAndroid Build Coastguard Workerallow kernel null_device:chr_file relabelto;
29*e4a36f41SAndroid Build Coastguard Workerallow kernel random_device:chr_file relabelto;
30*e4a36f41SAndroid Build Coastguard Workerallow kernel snapuserd_exec:file relabelto;
31*e4a36f41SAndroid Build Coastguard Worker
32*e4a36f41SAndroid Build Coastguard Workerallow kernel kmsg_device:chr_file write;
33*e4a36f41SAndroid Build Coastguard Workerallow kernel gsid:fd use;
34