1*e4a36f41SAndroid Build Coastguard Workertype composd, domain, coredomain; 2*e4a36f41SAndroid Build Coastguard Workertype composd_exec, system_file_type, exec_type, file_type; 3*e4a36f41SAndroid Build Coastguard Worker 4*e4a36f41SAndroid Build Coastguard Worker# Host dynamic AIDL services 5*e4a36f41SAndroid Build Coastguard Workerinit_daemon_domain(composd) 6*e4a36f41SAndroid Build Coastguard Workerbinder_use(composd) 7*e4a36f41SAndroid Build Coastguard Workeradd_service(composd, compos_service) 8*e4a36f41SAndroid Build Coastguard Worker 9*e4a36f41SAndroid Build Coastguard Worker# Call back into system server 10*e4a36f41SAndroid Build Coastguard Workerbinder_call(composd, system_server) 11*e4a36f41SAndroid Build Coastguard Worker 12*e4a36f41SAndroid Build Coastguard Worker# Start a VM 13*e4a36f41SAndroid Build Coastguard Workervirtualizationservice_use(composd) 14*e4a36f41SAndroid Build Coastguard Worker 15*e4a36f41SAndroid Build Coastguard Worker# Prepare staging directory for odrefresh 16*e4a36f41SAndroid Build Coastguard Workerallow composd apex_art_data_file:dir { create_dir_perms relabelfrom }; 17*e4a36f41SAndroid Build Coastguard Workerallow composd apex_art_staging_data_file:dir { create_dir_perms relabelto }; 18*e4a36f41SAndroid Build Coastguard Workerallow composd apex_art_staging_data_file:file { getattr unlink }; 19*e4a36f41SAndroid Build Coastguard Worker 20*e4a36f41SAndroid Build Coastguard Worker# Delete files or enable fs-verity in the odrefresh target directory 21*e4a36f41SAndroid Build Coastguard Workerallow composd apex_art_data_file:file { open ioctl read unlink write }; 22*e4a36f41SAndroid Build Coastguard Workerallowxperm composd apex_art_data_file:file ioctl FS_IOC_ENABLE_VERITY; 23*e4a36f41SAndroid Build Coastguard Worker 24*e4a36f41SAndroid Build Coastguard Worker# Access our APEX data files 25*e4a36f41SAndroid Build Coastguard Workerallow composd apex_module_data_file:dir search; 26*e4a36f41SAndroid Build Coastguard Workerallow composd apex_compos_data_file:dir create_dir_perms; 27*e4a36f41SAndroid Build Coastguard Workerallow composd apex_compos_data_file:file create_file_perms; 28*e4a36f41SAndroid Build Coastguard Worker 29*e4a36f41SAndroid Build Coastguard Worker# Run fd_server in its own domain, and send SIGTERM when finished. 30*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(composd, fd_server_exec, compos_fd_server) 31*e4a36f41SAndroid Build Coastguard Workerallow composd compos_fd_server:process signal; 32*e4a36f41SAndroid Build Coastguard Worker 33*e4a36f41SAndroid Build Coastguard Worker# Read properties used to configure the CompOS VM 34*e4a36f41SAndroid Build Coastguard Workerget_prop(composd, composd_vm_art_prop) 35*e4a36f41SAndroid Build Coastguard Workerget_prop(composd, composd_vm_vendor_prop) 36*e4a36f41SAndroid Build Coastguard Worker 37*e4a36f41SAndroid Build Coastguard Worker# Read ART's properties 38*e4a36f41SAndroid Build Coastguard Workerget_prop(composd, dalvik_config_prop_type) 39*e4a36f41SAndroid Build Coastguard Workerget_prop(composd, device_config_runtime_native_boot_prop) 40*e4a36f41SAndroid Build Coastguard Worker 41*e4a36f41SAndroid Build Coastguard Worker# We never create any artifact files directly 42*e4a36f41SAndroid Build Coastguard Workerneverallow composd apex_art_data_file:file create; 43*e4a36f41SAndroid Build Coastguard Worker 44*e4a36f41SAndroid Build Coastguard Worker# ART sets these properties via init script, nothing else should 45*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -init } composd_vm_art_prop:property_service set; 46