1*e4a36f41SAndroid Build Coastguard Workertype snapshotctl, domain, coredomain; 2*e4a36f41SAndroid Build Coastguard Workertype snapshotctl_exec, system_file_type, exec_type, file_type; 3*e4a36f41SAndroid Build Coastguard Worker 4*e4a36f41SAndroid Build Coastguard Worker# Allow init to run snapshotctl and do auto domain transfer. 5*e4a36f41SAndroid Build Coastguard Workerinit_daemon_domain(snapshotctl); 6*e4a36f41SAndroid Build Coastguard Worker 7*e4a36f41SAndroid Build Coastguard Worker# Allow to start gsid service. 8*e4a36f41SAndroid Build Coastguard Workerset_prop(snapshotctl, ctl_gsid_prop) 9*e4a36f41SAndroid Build Coastguard Worker 10*e4a36f41SAndroid Build Coastguard Worker# Allow to talk to gsid. 11*e4a36f41SAndroid Build Coastguard Workerbinder_use(snapshotctl) 12*e4a36f41SAndroid Build Coastguard Workerallow snapshotctl gsi_service:service_manager find; 13*e4a36f41SAndroid Build Coastguard Workerbinder_call(snapshotctl, gsid) 14*e4a36f41SAndroid Build Coastguard Worker 15*e4a36f41SAndroid Build Coastguard Worker# Allow to create/read/write/delete OTA metadata files for snapshot status and COW file status. 16*e4a36f41SAndroid Build Coastguard Workerallow snapshotctl metadata_file:dir search; 17*e4a36f41SAndroid Build Coastguard Workerallow snapshotctl ota_metadata_file:dir rw_dir_perms; 18*e4a36f41SAndroid Build Coastguard Workerallow snapshotctl ota_metadata_file:file create_file_perms; 19*e4a36f41SAndroid Build Coastguard Worker 20*e4a36f41SAndroid Build Coastguard Worker# Allow to get A/B slot suffix from device tree or kernel cmdline. 21*e4a36f41SAndroid Build Coastguard Workerr_dir_file(snapshotctl, sysfs_dt_firmware_android); 22*e4a36f41SAndroid Build Coastguard Workerallow snapshotctl proc_cmdline:file r_file_perms; 23*e4a36f41SAndroid Build Coastguard Worker 24*e4a36f41SAndroid Build Coastguard Worker# Needed to (re-)map logical partitions. 25*e4a36f41SAndroid Build Coastguard Workerallow snapshotctl block_device:dir r_dir_perms; 26*e4a36f41SAndroid Build Coastguard Workerallow snapshotctl super_block_device:blk_file r_file_perms; 27*e4a36f41SAndroid Build Coastguard Worker 28*e4a36f41SAndroid Build Coastguard Worker# Interact with device-mapper to collapse snapshots. 29*e4a36f41SAndroid Build Coastguard Workerallow snapshotctl dm_device:chr_file rw_file_perms; 30*e4a36f41SAndroid Build Coastguard Worker 31*e4a36f41SAndroid Build Coastguard Worker# Needed to mutate device-mapper nodes. 32*e4a36f41SAndroid Build Coastguard Workerallow snapshotctl self:global_capability_class_set sys_admin; 33*e4a36f41SAndroid Build Coastguard Worker 34*e4a36f41SAndroid Build Coastguard Worker# Snapshotctl talk to boot control HAL to set merge status. 35*e4a36f41SAndroid Build Coastguard Workerhwbinder_use(snapshotctl) 36*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(snapshotctl, hal_bootctl) 37*e4a36f41SAndroid Build Coastguard Worker 38*e4a36f41SAndroid Build Coastguard Worker# Allow snapshotctl to write to statsd socket. 39*e4a36f41SAndroid Build Coastguard Workerunix_socket_send(snapshotctl, statsdw, statsd) 40*e4a36f41SAndroid Build Coastguard Worker 41*e4a36f41SAndroid Build Coastguard Worker# Logging 42*e4a36f41SAndroid Build Coastguard Workeruserdebug_or_eng(` 43*e4a36f41SAndroid Build Coastguard Worker allow snapshotctl snapshotctl_log_data_file:dir rw_dir_perms; 44*e4a36f41SAndroid Build Coastguard Worker allow snapshotctl snapshotctl_log_data_file:file create_file_perms; 45*e4a36f41SAndroid Build Coastguard Worker') 46*e4a36f41SAndroid Build Coastguard Worker 47*e4a36f41SAndroid Build Coastguard Worker# Allow to read /proc/bootconfig. 48*e4a36f41SAndroid Build Coastguard Workerallow snapshotctl proc_bootconfig:file r_file_perms; 49*e4a36f41SAndroid Build Coastguard Worker 50*e4a36f41SAndroid Build Coastguard Worker# Allow to control snapuserd. 51*e4a36f41SAndroid Build Coastguard Workerset_prop(snapshotctl, ctl_snapuserd_prop) 52*e4a36f41SAndroid Build Coastguard Worker 53*e4a36f41SAndroid Build Coastguard Worker# Allow to read snapuserd.* properties. 54*e4a36f41SAndroid Build Coastguard Workerget_prop(snapshotctl, snapuserd_prop) 55*e4a36f41SAndroid Build Coastguard Worker 56*e4a36f41SAndroid Build Coastguard Worker# Allow to talk to snapuserd. 57*e4a36f41SAndroid Build Coastguard Workerallow snapshotctl snapuserd_socket:sock_file write; 58*e4a36f41SAndroid Build Coastguard Workerallow snapshotctl snapuserd:unix_stream_socket { connectto }; 59*e4a36f41SAndroid Build Coastguard Worker 60*e4a36f41SAndroid Build Coastguard Worker# Allow to read /dev/block/dm-* (device-mapper) nodes. 61*e4a36f41SAndroid Build Coastguard Workerallow snapshotctl dm_device:blk_file r_file_perms; 62*e4a36f41SAndroid Build Coastguard Worker 63*e4a36f41SAndroid Build Coastguard Worker# Allow to read dm-user control nodes. 64*e4a36f41SAndroid Build Coastguard Workerallow snapshotctl dm_user_device:dir search; 65