blob: 15c5a09fd862f0d3606e4cac734ea00a4ec56b75 [file] [log] [blame]
# asan_extract
#
# This command set moves the artifact corresponding to the current slot
# from /data/ota to /data/dalvik-cache.
with_asan(`
type asan_extract, domain, coredomain;
type asan_extract_exec, exec_type, file_type;
# Allow asan_extract to execute itself using #!/system/bin/sh
allow asan_extract shell_exec:file rx_file_perms;
# We execute log, rm, gzip and tar.
allow asan_extract toolbox_exec:file rx_file_perms;
allow asan_extract system_file:file execute_no_trans;
# asan_extract deletes old /data/lib.
allow asan_extract system_file:dir { open read remove_name rmdir write };
allow asan_extract system_file:file unlink;
# asan_extract untars ASAN libraries into /data.
allow asan_extract system_data_file:dir create_dir_perms ;
allow asan_extract system_data_file:{ file lnk_file } create_file_perms ;
# Relabel the libraries with restorecon.
allow asan_extract file_contexts_file:file r_file_perms;
allow asan_extract system_data_file:{ dir file } relabelfrom;
allow asan_extract system_file:dir { relabelto setattr };
allow asan_extract system_file:file relabelto;
# Restorecon will actually already try to run with sanitized libraries (libpackagelistparser).
allow asan_extract system_data_file:file execute;
# We need to signal a reboot when done.
set_prop(asan_extract, powerctl_prop)
')