1 2# Domain for derive_sdk 3type derive_sdk, domain, coredomain; 4type derive_sdk_exec, system_file_type, exec_type, file_type; 5init_daemon_domain(derive_sdk) 6 7# Read /apex 8allow derive_sdk apex_mnt_dir:dir r_dir_perms; 9allow derive_sdk vendor_apex_metadata_file:dir r_dir_perms; 10 11# Prop rules: writable by derive_sdk, readable by bootclasspath (apps) 12set_prop(derive_sdk, module_sdkextensions_prop) 13neverallow { domain -init -derive_sdk } module_sdkextensions_prop:property_service set; 14 15# Allow derive_sdk to write data back to dumpstate when forked from dumpstate. 16# The shell_data_file permissions are needed when a bugreport is taken: 17# dumpstate will redirect its stdout to a temporary shell_data_file:file, and 18# this makes derive_sdk append to that file. 19allow derive_sdk dumpstate:fd use; 20allow derive_sdk dumpstate:unix_stream_socket { read write }; 21allow derive_sdk shell_data_file:file { getattr append read write }; 22