| # ART APEX postinstall. |
| # |
| |
| type art_apex_postinstall, domain, coredomain; |
| type art_apex_postinstall_exec, system_file_type, exec_type, file_type; |
| |
| # /system/bin/sh (see b/126787589). |
| allow art_apex_postinstall apexd:fd use; |
| |
| # Read temp dirs and files. Move directories. |
| allow art_apex_postinstall ota_data_file:dir { r_dir_perms write rename remove_name relabelfrom reparent }; |
| allow art_apex_postinstall ota_data_file:file { r_file_perms relabelfrom }; |
| # We're deleting the old /data/dalvik-cache/* and move the new ones |
| # over. |
| allow art_apex_postinstall dalvikcache_data_file:dir { create_dir_perms relabelto }; |
| allow art_apex_postinstall dalvikcache_data_file:file { r_file_perms unlink relabelto }; |
| |
| # Required for relabel. |
| allow art_apex_postinstall file_contexts_file:file r_file_perms; |
| allow art_apex_postinstall self:global_capability_class_set sys_admin; |
| |
| # Script helpers. |
| allow art_apex_postinstall shell_exec:file rx_file_perms; |
| allow art_apex_postinstall toolbox_exec:file rx_file_perms; |
| |
| # Fsverity in the same domain. |
| allow art_apex_postinstall system_file:file execute_no_trans; |
| # Fsverity work. |
| allowxperm art_apex_postinstall ota_data_file:file ioctl { |
| FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY |
| }; |