private/kernel.te - platform/system/sepolicy - Git at Google

 typeattribute kernel coredomain;

 domain_auto_trans(kernel, init_exec, init)
 domain_auto_trans(kernel, snapuserd_exec, snapuserd)

 # Allow the kernel to read otapreopt_chroot's file descriptors and files under
 # /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex.
 allow kernel otapreopt_chroot:fd use;
 allow kernel postinstall_file:file read;

 # The following sections are for the transition period during a Virtual A/B
 # OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct
 # context, and with properly labelled devices. This must be done before
 # enabling enforcement, eg, in permissive mode while still in the kernel
 # context.
 allow kernel tmpfs:blk_file { getattr relabelfrom };
 allow kernel tmpfs:chr_file { getattr relabelfrom };
 allow kernel tmpfs:lnk_file { getattr relabelfrom };
 allow kernel tmpfs:dir { open read relabelfrom };

 allow kernel block_device:blk_file relabelto;
 allow kernel block_device:lnk_file relabelto;
 allow kernel dm_device:chr_file relabelto;
 allow kernel dm_device:blk_file relabelto;
 allow kernel dm_user_device:dir { read open search relabelto };
 allow kernel dm_user_device:chr_file relabelto;
 allow kernel kmsg_device:chr_file relabelto;
 allow kernel null_device:chr_file relabelto;
 allow kernel random_device:chr_file relabelto;
 allow kernel snapuserd_exec:file relabelto;

 allow kernel kmsg_device:chr_file write;
 allow kernel gsid:fd use;

 # Some contexts are changed before the device is flipped into enforcing mode
 # during the setup of Apex sepolicy. These denials can be suppressed since
 # the permissions should not be allowed after the device is flipped into
 # enforcing mode.
 dontaudit kernel device:dir { open read relabelto };
 dontaudit kernel tmpfs:file { getattr open read relabelfrom };
 dontaudit kernel {
   file_contexts_file
   hwservice_contexts_file
   mac_perms_file
   property_contexts_file
   seapp_contexts_file
   sepolicy_test_file
   service_contexts_file
 }:file relabelto;
	typeattribute kernel coredomain;

	domain_auto_trans(kernel, init_exec, init)
	domain_auto_trans(kernel, snapuserd_exec, snapuserd)

	# Allow the kernel to read otapreopt_chroot's file descriptors and files under
	# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex.
	allow kernel otapreopt_chroot:fd use;
	allow kernel postinstall_file:file read;

	# The following sections are for the transition period during a Virtual A/B
	# OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct
	# context, and with properly labelled devices. This must be done before
	# enabling enforcement, eg, in permissive mode while still in the kernel
	# context.
	allow kernel tmpfs:blk_file { getattr relabelfrom };
	allow kernel tmpfs:chr_file { getattr relabelfrom };
	allow kernel tmpfs:lnk_file { getattr relabelfrom };
	allow kernel tmpfs:dir { open read relabelfrom };

	allow kernel block_device:blk_file relabelto;
	allow kernel block_device:lnk_file relabelto;
	allow kernel dm_device:chr_file relabelto;
	allow kernel dm_device:blk_file relabelto;
	allow kernel dm_user_device:dir { read open search relabelto };
	allow kernel dm_user_device:chr_file relabelto;
	allow kernel kmsg_device:chr_file relabelto;
	allow kernel null_device:chr_file relabelto;
	allow kernel random_device:chr_file relabelto;
	allow kernel snapuserd_exec:file relabelto;

	allow kernel kmsg_device:chr_file write;
	allow kernel gsid:fd use;

	# Some contexts are changed before the device is flipped into enforcing mode
	# during the setup of Apex sepolicy. These denials can be suppressed since
	# the permissions should not be allowed after the device is flipped into
	# enforcing mode.
	dontaudit kernel device:dir { open read relabelto };
	dontaudit kernel tmpfs:file { getattr open read relabelfrom };
	dontaudit kernel {
	file_contexts_file
	hwservice_contexts_file
	mac_perms_file
	property_contexts_file
	seapp_contexts_file
	sepolicy_test_file
	service_contexts_file
	}:file relabelto;