cc39f63773
Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
21 lines
837 B
Plaintext
21 lines
837 B
Plaintext
# otapreopt_chroot executable
|
|
type otapreopt_chroot, domain;
|
|
type otapreopt_chroot_exec, exec_type, file_type;
|
|
|
|
# Chroot preparation and execution.
|
|
# We need to create an unshared mount namespace, and then mount /data.
|
|
allow otapreopt_chroot postinstall_file:dir { search mounton };
|
|
allow otapreopt_chroot self:capability { sys_admin sys_chroot };
|
|
|
|
# This is required to mount /vendor.
|
|
allow otapreopt_chroot block_device:dir search;
|
|
allow otapreopt_chroot labeledfs:filesystem mount;
|
|
# Mounting /vendor can have this side-effect. Ignore denial.
|
|
dontaudit otapreopt_chroot kernel:process setsched;
|
|
|
|
# Allow otapreopt to use file descriptors from update-engine. It will
|
|
# close them immediately.
|
|
allow otapreopt_chroot postinstall:fd use;
|
|
allow otapreopt_chroot update_engine:fd use;
|
|
allow otapreopt_chroot update_engine:fifo_file write;
|