1type composd, domain, coredomain; 2type composd_exec, system_file_type, exec_type, file_type; 3 4# Host dynamic AIDL services 5init_daemon_domain(composd) 6binder_use(composd) 7add_service(composd, compos_service) 8 9# Call back into system server 10binder_call(composd, system_server) 11 12# Start a VM 13virtualizationservice_use(composd) 14 15# Prepare staging directory for odrefresh 16allow composd apex_art_data_file:dir { create_dir_perms relabelfrom }; 17allow composd apex_art_staging_data_file:dir { create_dir_perms relabelto }; 18allow composd apex_art_staging_data_file:file { getattr unlink }; 19 20# Delete files or enable fs-verity in the odrefresh target directory 21allow composd apex_art_data_file:file { open ioctl read unlink write }; 22allowxperm composd apex_art_data_file:file ioctl FS_IOC_ENABLE_VERITY; 23 24# Access our APEX data files 25allow composd apex_module_data_file:dir search; 26allow composd apex_compos_data_file:dir create_dir_perms; 27allow composd apex_compos_data_file:file create_file_perms; 28 29# Run fd_server in its own domain, and send SIGTERM when finished. 30domain_auto_trans(composd, fd_server_exec, compos_fd_server) 31allow composd compos_fd_server:process signal; 32 33# Read properties used to configure the CompOS VM 34get_prop(composd, composd_vm_art_prop) 35get_prop(composd, composd_vm_vendor_prop) 36 37# Read ART's properties 38get_prop(composd, dalvik_config_prop_type) 39get_prop(composd, device_config_runtime_native_boot_prop) 40 41# We never create any artifact files directly 42neverallow composd apex_art_data_file:file create; 43 44# ART sets these properties via init script, nothing else should 45neverallow { domain -init } composd_vm_art_prop:property_service set; 46