xref: /aosp_15_r20/system/sepolicy/private/compos_fd_server.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1*e4a36f41SAndroid Build Coastguard Worker# Make ART inputs and outputs available to the CompOS VM
2*e4a36f41SAndroid Build Coastguard Workertype compos_fd_server, domain, coredomain;
3*e4a36f41SAndroid Build Coastguard Worker
4*e4a36f41SAndroid Build Coastguard Worker# Allow access to open fds inherited from composd
5*e4a36f41SAndroid Build Coastguard Workerallow compos_fd_server composd:fd use;
6*e4a36f41SAndroid Build Coastguard Worker
7*e4a36f41SAndroid Build Coastguard Worker# Allow creating new files and directories in the staging directory.
8*e4a36f41SAndroid Build Coastguard Workerallow compos_fd_server apex_art_staging_data_file:dir create_dir_perms;
9*e4a36f41SAndroid Build Coastguard Workerallow compos_fd_server apex_art_staging_data_file:file create_file_perms;
10*e4a36f41SAndroid Build Coastguard Worker
11*e4a36f41SAndroid Build Coastguard Worker# Allow creating new files and directories in the artifacts directory.
12*e4a36f41SAndroid Build Coastguard Workerallow compos_fd_server apex_art_data_file:dir create_dir_perms;
13*e4a36f41SAndroid Build Coastguard Workerallow compos_fd_server apex_art_data_file:file create_file_perms;
14*e4a36f41SAndroid Build Coastguard Worker
15*e4a36f41SAndroid Build Coastguard Worker# Use a pipe to signal readiness
16*e4a36f41SAndroid Build Coastguard Workerallow compos_fd_server composd:fifo_file write;
17*e4a36f41SAndroid Build Coastguard Worker
18*e4a36f41SAndroid Build Coastguard Worker# TODO(b/196109647) - remove this when no longer needed by minijail
19*e4a36f41SAndroid Build Coastguard Workerallow compos_fd_server composd:fifo_file read;
20*e4a36f41SAndroid Build Coastguard Worker
21*e4a36f41SAndroid Build Coastguard Worker# Create a listening vsock for the VM to connect back to
22*e4a36f41SAndroid Build Coastguard Workerallow compos_fd_server self:vsock_socket { create_socket_perms_no_ioctl listen accept };
23*e4a36f41SAndroid Build Coastguard Worker
24*e4a36f41SAndroid Build Coastguard Worker# Only composd can enter the domain via exec
25*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -composd } compos_fd_server:process transition;
26*e4a36f41SAndroid Build Coastguard Workerneverallow * compos_fd_server:process dyntransition;
27