1 2# Domain for derive_sdk 3type derive_sdk, domain, coredomain; 4type derive_sdk_exec, system_file_type, exec_type, file_type; 5init_daemon_domain(derive_sdk) 6 7# Read /apex 8allow derive_sdk apex_mnt_dir:dir r_dir_perms; 9 10# Prop rules: writable by derive_sdk, readable by bootclasspath (apps) 11set_prop(derive_sdk, module_sdkextensions_prop) 12neverallow { domain -init -derive_sdk } module_sdkextensions_prop:property_service set; 13 14# Allow derive_sdk to write data back to dumpstate when forked from dumpstate. 15# The shell_data_file permissions are needed when a bugreport is taken: 16# dumpstate will redirect its stdout to a temporary shell_data_file:file, and 17# this makes derive_sdk append to that file. 18allow derive_sdk dumpstate:fd use; 19allow derive_sdk dumpstate:unix_stream_socket { read write }; 20allow derive_sdk shell_data_file:file { getattr append read write }; 21