summaryrefslogtreecommitdiff
path: root/prebuilts/api/32.0/private/kernel.te
diff options
context:
space:
mode:
Diffstat (limited to 'prebuilts/api/32.0/private/kernel.te')
-rw-r--r--prebuilts/api/32.0/private/kernel.te33
1 files changed, 33 insertions, 0 deletions
diff --git a/prebuilts/api/32.0/private/kernel.te b/prebuilts/api/32.0/private/kernel.te
new file mode 100644
index 000000000..534116343
--- /dev/null
+++ b/prebuilts/api/32.0/private/kernel.te
@@ -0,0 +1,33 @@
+typeattribute kernel coredomain;
+
+domain_auto_trans(kernel, init_exec, init)
+domain_auto_trans(kernel, snapuserd_exec, snapuserd)
+
+# Allow the kernel to read otapreopt_chroot's file descriptors and files under
+# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex.
+allow kernel otapreopt_chroot:fd use;
+allow kernel postinstall_file:file read;
+
+# The following sections are for the transition period during a Virtual A/B
+# OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct
+# context, and with properly labelled devices. This must be done before
+# enabling enforcement, eg, in permissive mode while still in the kernel
+# context.
+allow kernel tmpfs:blk_file { getattr relabelfrom };
+allow kernel tmpfs:chr_file { getattr relabelfrom };
+allow kernel tmpfs:lnk_file { getattr relabelfrom };
+allow kernel tmpfs:dir { open read relabelfrom };
+
+allow kernel block_device:blk_file relabelto;
+allow kernel block_device:lnk_file relabelto;
+allow kernel dm_device:chr_file relabelto;
+allow kernel dm_device:blk_file relabelto;
+allow kernel dm_user_device:dir { read open search relabelto };
+allow kernel dm_user_device:chr_file relabelto;
+allow kernel kmsg_device:chr_file relabelto;
+allow kernel null_device:chr_file relabelto;
+allow kernel random_device:chr_file relabelto;
+allow kernel snapuserd_exec:file relabelto;
+
+allow kernel kmsg_device:chr_file write;
+allow kernel gsid:fd use;
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-03 05:05:22 +0000