private/asan_extract.te - platform/system/sepolicy - Git at Google

 # type_transition must be private policy the domain_trans rules could stay
 # public, but conceptually should go with this
 # Technically not a daemon but we do want the transition from init domain to
 # asan_extract to occur.
 with_asan(`
   typeattribute asan_extract coredomain;
   init_daemon_domain(asan_extract)

   # We need to signal a reboot when done.
   set_prop(asan_extract, powerctl_prop)

   # Allow asan_extract to execute itself using #!/system/bin/sh
   allow asan_extract shell_exec:file rx_file_perms;

   # We execute log, rm, gzip and tar.
   allow asan_extract toolbox_exec:file rx_file_perms;
   allow asan_extract system_file:file execute_no_trans;

   # asan_extract deletes old /data/lib.
   allow asan_extract system_file:dir { open read remove_name rmdir write };
   allow asan_extract system_file:file unlink;

   # asan_extract untars ASAN libraries into /data.
   allow asan_extract system_data_file:dir create_dir_perms ;
   allow asan_extract system_data_file:{ file lnk_file } create_file_perms ;

   # Relabel the libraries with restorecon.
   allow asan_extract file_contexts_file:file r_file_perms;
   allow asan_extract system_data_file:{ dir file } relabelfrom;
   allow asan_extract system_file:dir { relabelto setattr };
   allow asan_extract system_file:file relabelto;

   # Restorecon will actually already try to run with sanitized libraries (libpackagelistparser).
   allow asan_extract system_data_file:file execute;
 ')
	# type_transition must be private policy the domain_trans rules could stay
	# public, but conceptually should go with this
	# Technically not a daemon but we do want the transition from init domain to
	# asan_extract to occur.
	with_asan(`
	typeattribute asan_extract coredomain;
	init_daemon_domain(asan_extract)

	# We need to signal a reboot when done.
	set_prop(asan_extract, powerctl_prop)

	# Allow asan_extract to execute itself using #!/system/bin/sh
	allow asan_extract shell_exec:file rx_file_perms;

	# We execute log, rm, gzip and tar.
	allow asan_extract toolbox_exec:file rx_file_perms;
	allow asan_extract system_file:file execute_no_trans;

	# asan_extract deletes old /data/lib.
	allow asan_extract system_file:dir { open read remove_name rmdir write };
	allow asan_extract system_file:file unlink;

	# asan_extract untars ASAN libraries into /data.
	allow asan_extract system_data_file:dir create_dir_perms ;
	allow asan_extract system_data_file:{ file lnk_file } create_file_perms ;

	# Relabel the libraries with restorecon.
	allow asan_extract file_contexts_file:file r_file_perms;
	allow asan_extract system_data_file:{ dir file } relabelfrom;
	allow asan_extract system_file:dir { relabelto setattr };
	allow asan_extract system_file:file relabelto;

	# Restorecon will actually already try to run with sanitized libraries (libpackagelistparser).
	allow asan_extract system_data_file:file execute;
	')