| # ART APEX preinstall. |
| # |
| |
| type art_apex_preinstall, domain, coredomain; |
| type art_apex_preinstall_exec, system_file_type, exec_type, file_type; |
| |
| # /dev/zero |
| allow art_apex_preinstall apexd:fd use; |
| |
| # Create temp dirs and files under /data/ota. |
| allow art_apex_preinstall ota_data_file:dir create_dir_perms; |
| allow art_apex_preinstall ota_data_file:file create_file_perms; |
| # We mount /data/ota/dalvik-cache over /data/dalvik-cache in our |
| # mount namespace. |
| allow art_apex_preinstall dalvikcache_data_file:dir { r_dir_perms mounton }; |
| allow art_apex_preinstall self:capability sys_admin; |
| |
| # Script helpers. |
| allow art_apex_preinstall shell_exec:file rx_file_perms; |
| allow art_apex_preinstall toolbox_exec:file rx_file_perms; |
| |
| # Execute subscripts in the same domain. |
| allow art_apex_preinstall art_apex_preinstall_exec:file execute_no_trans; |
| |
| # Run dex2oat. |
| domain_auto_trans(art_apex_preinstall, dex2oat_exec, dex2oat) |
| |
| # Fsverity in the same domain. |
| allow art_apex_preinstall system_file:file execute_no_trans; |
| # Fsverity work. |
| allowxperm art_apex_preinstall ota_data_file:file ioctl { |
| FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY |
| }; |
| |
| allow art_apex_preinstall kernel:key search; |
| # For testing purposes, allow keys installed with su. |
| userdebug_or_eng(` |
| allow art_apex_preinstall su:key search; |
| ') |