1*e4a36f41SAndroid Build Coastguard Workertypeattribute kernel coredomain; 2*e4a36f41SAndroid Build Coastguard Worker 3*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(kernel, init_exec, init) 4*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(kernel, snapuserd_exec, snapuserd) 5*e4a36f41SAndroid Build Coastguard Worker 6*e4a36f41SAndroid Build Coastguard Worker# Allow the kernel to read otapreopt_chroot's file descriptors and files under 7*e4a36f41SAndroid Build Coastguard Worker# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex. 8*e4a36f41SAndroid Build Coastguard Workerallow kernel otapreopt_chroot:fd use; 9*e4a36f41SAndroid Build Coastguard Workerallow kernel postinstall_file:file read; 10*e4a36f41SAndroid Build Coastguard Worker 11*e4a36f41SAndroid Build Coastguard Worker# The following sections are for the transition period during a Virtual A/B 12*e4a36f41SAndroid Build Coastguard Worker# OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct 13*e4a36f41SAndroid Build Coastguard Worker# context, and with properly labelled devices. This must be done before 14*e4a36f41SAndroid Build Coastguard Worker# enabling enforcement, eg, in permissive mode while still in the kernel 15*e4a36f41SAndroid Build Coastguard Worker# context. 16*e4a36f41SAndroid Build Coastguard Workerallow kernel tmpfs:blk_file { getattr relabelfrom }; 17*e4a36f41SAndroid Build Coastguard Workerallow kernel tmpfs:chr_file { getattr relabelfrom }; 18*e4a36f41SAndroid Build Coastguard Workerallow kernel tmpfs:lnk_file { getattr relabelfrom }; 19*e4a36f41SAndroid Build Coastguard Workerallow kernel tmpfs:dir { open read relabelfrom }; 20*e4a36f41SAndroid Build Coastguard Worker 21*e4a36f41SAndroid Build Coastguard Workerallow kernel block_device:blk_file relabelto; 22*e4a36f41SAndroid Build Coastguard Workerallow kernel block_device:lnk_file relabelto; 23*e4a36f41SAndroid Build Coastguard Workerallow kernel dm_device:chr_file relabelto; 24*e4a36f41SAndroid Build Coastguard Workerallow kernel dm_device:blk_file relabelto; 25*e4a36f41SAndroid Build Coastguard Workerallow kernel dm_user_device:dir { read open search relabelto }; 26*e4a36f41SAndroid Build Coastguard Workerallow kernel dm_user_device:chr_file relabelto; 27*e4a36f41SAndroid Build Coastguard Workerallow kernel kmsg_device:chr_file relabelto; 28*e4a36f41SAndroid Build Coastguard Workerallow kernel null_device:chr_file relabelto; 29*e4a36f41SAndroid Build Coastguard Workerallow kernel random_device:chr_file relabelto; 30*e4a36f41SAndroid Build Coastguard Workerallow kernel snapuserd_exec:file relabelto; 31*e4a36f41SAndroid Build Coastguard Worker 32*e4a36f41SAndroid Build Coastguard Workerallow kernel kmsg_device:chr_file write; 33*e4a36f41SAndroid Build Coastguard Workerallow kernel gsid:fd use; 34*e4a36f41SAndroid Build Coastguard Worker 35*e4a36f41SAndroid Build Coastguard Workerdontaudit kernel metadata_file:dir search; 36*e4a36f41SAndroid Build Coastguard Workerdontaudit kernel ota_metadata_file:dir rw_dir_perms; 37*e4a36f41SAndroid Build Coastguard Workerdontaudit kernel sysfs:dir r_dir_perms; 38*e4a36f41SAndroid Build Coastguard Workerdontaudit kernel sysfs:file { open read write }; 39*e4a36f41SAndroid Build Coastguard Workerdontaudit kernel sysfs:chr_file { open read write }; 40*e4a36f41SAndroid Build Coastguard Workerdontaudit kernel dm_device:chr_file ioctl; 41*e4a36f41SAndroid Build Coastguard Workerdontaudit kernel self:capability { sys_admin setgid mknod }; 42*e4a36f41SAndroid Build Coastguard Worker 43*e4a36f41SAndroid Build Coastguard Workerdontaudit kernel dm_user_device:dir { write add_name }; 44*e4a36f41SAndroid Build Coastguard Workerdontaudit kernel dm_user_device:chr_file { create setattr }; 45*e4a36f41SAndroid Build Coastguard Workerdontaudit kernel tmpfs:lnk_file read; 46*e4a36f41SAndroid Build Coastguard Workerdontaudit kernel tmpfs:blk_file { open read }; 47*e4a36f41SAndroid Build Coastguard Worker 48*e4a36f41SAndroid Build Coastguard Worker# Some contexts are changed before the device is flipped into enforcing mode 49*e4a36f41SAndroid Build Coastguard Worker# during the setup of Apex sepolicy. These denials can be suppressed since 50*e4a36f41SAndroid Build Coastguard Worker# the permissions should not be allowed after the device is flipped into 51*e4a36f41SAndroid Build Coastguard Worker# enforcing mode. 52*e4a36f41SAndroid Build Coastguard Workerdontaudit kernel device:dir { open read relabelto }; 53*e4a36f41SAndroid Build Coastguard Workerdontaudit kernel tmpfs:file { getattr open read relabelfrom }; 54*e4a36f41SAndroid Build Coastguard Workerdontaudit kernel { 55*e4a36f41SAndroid Build Coastguard Worker file_contexts_file 56*e4a36f41SAndroid Build Coastguard Worker hwservice_contexts_file 57*e4a36f41SAndroid Build Coastguard Worker mac_perms_file 58*e4a36f41SAndroid Build Coastguard Worker property_contexts_file 59*e4a36f41SAndroid Build Coastguard Worker seapp_contexts_file 60*e4a36f41SAndroid Build Coastguard Worker sepolicy_test_file 61*e4a36f41SAndroid Build Coastguard Worker service_contexts_file 62*e4a36f41SAndroid Build Coastguard Worker}:file relabelto; 63