| # otapreopt executable |
| type otapreopt, domain, mlstrustedsubject; |
| type otapreopt_exec, exec_type, file_type; |
| |
| init_daemon_domain(otapreopt) |
| allow otapreopt self:capability { chown dac_override fowner fsetid setgid setuid }; |
| |
| # Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access |
| # here and having to relabel the directory. |
| |
| # Write to /data/ota(/*). Create symlinks in /data/ota(/*) |
| allow otapreopt ota_data_file:dir create_dir_perms; |
| allow otapreopt ota_data_file:file create_file_perms; |
| allow otapreopt ota_data_file:lnk_file create_file_perms; |
| |
| # Allow labeling of files under /data/app/com.example/oat/ |
| # TODO: Restrict to .b suffix? |
| allow otapreopt dalvikcache_data_file:dir relabelto; |
| allow otapreopt dalvikcache_data_file:file { relabelto link }; |
| |
| allow otapreopt selinuxfs:dir r_dir_perms; |
| |
| # Check validity of SELinux context before use. |
| selinux_check_context(otapreopt) |
| selinux_check_access(otapreopt) |
| |
| # Run dex2oat in its own sandbox. |
| domain_auto_trans(otapreopt, dex2oat_exec, dex2oat) |
| |
| # Allow otapreopt to use file descriptors from installd. |
| allow otapreopt installd:fd use; |