sepolicy: Add policy for migrate_legacy_obb_data.sh
.. and let installd execute it. Required to migrate legacy obb contents Bug: 129167772 Test: make Change-Id: I35d35016680379e3a9363408704ee890a78a9748
This commit is contained in:
parent
ab2e89a695
commit
0574e4cdab
@ -257,6 +257,7 @@ define(`dac_override_allowed', `{
|
||||
install_recovery
|
||||
userdebug_or_eng(`llkd')
|
||||
lmkd
|
||||
migrate_legacy_obb_data
|
||||
netd
|
||||
perfprofd
|
||||
postinstall_dexopt
|
||||
|
@ -326,6 +326,7 @@
|
||||
/system/bin/gsid u:object_r:gsid_exec:s0
|
||||
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
|
||||
/system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0
|
||||
/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
|
||||
|
||||
#############################
|
||||
# Vendor files
|
||||
|
@ -17,6 +17,10 @@ domain_auto_trans(installd, profman_exec, profman)
|
||||
# Run idmap in its own sandbox.
|
||||
domain_auto_trans(installd, idmap_exec, idmap)
|
||||
|
||||
# Run migrate_legacy_obb_data.sh in its own sandbox.
|
||||
domain_auto_trans(installd, migrate_legacy_obb_data_exec, migrate_legacy_obb_data)
|
||||
allow installd shell_exec:file rx_file_perms;
|
||||
|
||||
# Create /data/.layout_version.* file
|
||||
type_transition installd system_data_file:file install_data_file;
|
||||
|
||||
|
20
prebuilts/api/29.0/private/migrate_legacy_obb_data.te
Normal file
20
prebuilts/api/29.0/private/migrate_legacy_obb_data.te
Normal file
@ -0,0 +1,20 @@
|
||||
type migrate_legacy_obb_data, domain, coredomain;
|
||||
type migrate_legacy_obb_data_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
allow migrate_legacy_obb_data media_rw_data_file:dir create_dir_perms;
|
||||
allow migrate_legacy_obb_data media_rw_data_file:file create_file_perms;
|
||||
|
||||
allow migrate_legacy_obb_data shell_exec:file rx_file_perms;
|
||||
|
||||
allow migrate_legacy_obb_data toolbox_exec:file rx_file_perms;
|
||||
|
||||
allow migrate_legacy_obb_data self:capability { chown dac_override dac_read_search fowner fsetid };
|
||||
|
||||
# TODO: This should not be necessary. We don't deliberately hand over
|
||||
# any open file descriptors to this domain, so anything that triggers this
|
||||
# should be a candidate for O_CLOEXEC.
|
||||
allow migrate_legacy_obb_data installd:fd use;
|
||||
|
||||
# This rule is required to let this process read /proc/{parent_pid}/mount.
|
||||
# TODO: Why is this required ?
|
||||
allow migrate_legacy_obb_data installd:file read;
|
@ -257,6 +257,7 @@ define(`dac_override_allowed', `{
|
||||
install_recovery
|
||||
userdebug_or_eng(`llkd')
|
||||
lmkd
|
||||
migrate_legacy_obb_data
|
||||
netd
|
||||
perfprofd
|
||||
postinstall_dexopt
|
||||
|
@ -326,6 +326,7 @@
|
||||
/system/bin/gsid u:object_r:gsid_exec:s0
|
||||
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
|
||||
/system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0
|
||||
/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
|
||||
|
||||
#############################
|
||||
# Vendor files
|
||||
|
@ -17,6 +17,10 @@ domain_auto_trans(installd, profman_exec, profman)
|
||||
# Run idmap in its own sandbox.
|
||||
domain_auto_trans(installd, idmap_exec, idmap)
|
||||
|
||||
# Run migrate_legacy_obb_data.sh in its own sandbox.
|
||||
domain_auto_trans(installd, migrate_legacy_obb_data_exec, migrate_legacy_obb_data)
|
||||
allow installd shell_exec:file rx_file_perms;
|
||||
|
||||
# Create /data/.layout_version.* file
|
||||
type_transition installd system_data_file:file install_data_file;
|
||||
|
||||
|
20
private/migrate_legacy_obb_data.te
Normal file
20
private/migrate_legacy_obb_data.te
Normal file
@ -0,0 +1,20 @@
|
||||
type migrate_legacy_obb_data, domain, coredomain;
|
||||
type migrate_legacy_obb_data_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
allow migrate_legacy_obb_data media_rw_data_file:dir create_dir_perms;
|
||||
allow migrate_legacy_obb_data media_rw_data_file:file create_file_perms;
|
||||
|
||||
allow migrate_legacy_obb_data shell_exec:file rx_file_perms;
|
||||
|
||||
allow migrate_legacy_obb_data toolbox_exec:file rx_file_perms;
|
||||
|
||||
allow migrate_legacy_obb_data self:capability { chown dac_override dac_read_search fowner fsetid };
|
||||
|
||||
# TODO: This should not be necessary. We don't deliberately hand over
|
||||
# any open file descriptors to this domain, so anything that triggers this
|
||||
# should be a candidate for O_CLOEXEC.
|
||||
allow migrate_legacy_obb_data installd:fd use;
|
||||
|
||||
# This rule is required to let this process read /proc/{parent_pid}/mount.
|
||||
# TODO: Why is this required ?
|
||||
allow migrate_legacy_obb_data installd:file read;
|
Loading…
Reference in New Issue
Block a user