private/compos_verify_key.te - LeafOS-Project/android_system_sepolicy - Gitiles

 # Run by odsign to verify a CompOs instance's keys.
 type compos_verify_key, domain, coredomain;

 type compos_verify_key_exec, exec_type, file_type, system_file_type;

 binder_use(compos_verify_key);
 virtualizationservice_use(compos_verify_key);

 # Access the image & key files, delete on failure, rename pending to current
 allow compos_verify_key apex_module_data_file:dir search;
 allow compos_verify_key apex_compos_data_file:dir create_dir_perms;
 allow compos_verify_key apex_compos_data_file:file create_file_perms;

 # Allow odsign to redirect our stdout/stderr to log
 allow compos_verify_key odsign:fd use;
 allow compos_verify_key odsign_devpts:chr_file { read write };

 # Only odsign can enter the domain via exec
 neverallow { domain -odsign } compos_verify_key:process transition;
 neverallow * compos_verify_key:process dyntransition;
	# Run by odsign to verify a CompOs instance's keys.
	type compos_verify_key, domain, coredomain;

	type compos_verify_key_exec, exec_type, file_type, system_file_type;

	binder_use(compos_verify_key);
	virtualizationservice_use(compos_verify_key);

	# Access the image & key files, delete on failure, rename pending to current
	allow compos_verify_key apex_module_data_file:dir search;
	allow compos_verify_key apex_compos_data_file:dir create_dir_perms;
	allow compos_verify_key apex_compos_data_file:file create_file_perms;

	# Allow odsign to redirect our stdout/stderr to log
	allow compos_verify_key odsign:fd use;
	allow compos_verify_key odsign_devpts:chr_file { read write };

	# Only odsign can enter the domain via exec
	neverallow { domain -odsign } compos_verify_key:process transition;
	neverallow * compos_verify_key:process dyntransition;