1*e4a36f41SAndroid Build Coastguard Worker 2*e4a36f41SAndroid Build Coastguard Worker# Domain for derive_sdk 3*e4a36f41SAndroid Build Coastguard Workertype derive_sdk, domain, coredomain; 4*e4a36f41SAndroid Build Coastguard Workertype derive_sdk_exec, system_file_type, exec_type, file_type; 5*e4a36f41SAndroid Build Coastguard Workerinit_daemon_domain(derive_sdk) 6*e4a36f41SAndroid Build Coastguard Worker 7*e4a36f41SAndroid Build Coastguard Worker# Read /apex 8*e4a36f41SAndroid Build Coastguard Workerallow derive_sdk apex_mnt_dir:dir r_dir_perms; 9*e4a36f41SAndroid Build Coastguard Workerallow derive_sdk vendor_apex_metadata_file:dir r_dir_perms; 10*e4a36f41SAndroid Build Coastguard Worker 11*e4a36f41SAndroid Build Coastguard Worker# Prop rules: writable by derive_sdk, readable by bootclasspath (apps) 12*e4a36f41SAndroid Build Coastguard Workerset_prop(derive_sdk, module_sdkextensions_prop) 13*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -init -derive_sdk } module_sdkextensions_prop:property_service set; 14*e4a36f41SAndroid Build Coastguard Worker 15*e4a36f41SAndroid Build Coastguard Worker# Allow derive_sdk to write data back to dumpstate when forked from dumpstate. 16*e4a36f41SAndroid Build Coastguard Worker# The shell_data_file permissions are needed when a bugreport is taken: 17*e4a36f41SAndroid Build Coastguard Worker# dumpstate will redirect its stdout to a temporary shell_data_file:file, and 18*e4a36f41SAndroid Build Coastguard Worker# this makes derive_sdk append to that file. 19*e4a36f41SAndroid Build Coastguard Workerallow derive_sdk dumpstate:fd use; 20*e4a36f41SAndroid Build Coastguard Workerallow derive_sdk dumpstate:unix_stream_socket { read write }; 21*e4a36f41SAndroid Build Coastguard Workerallow derive_sdk shell_data_file:file { getattr append read write }; 22