Skip to content
Snippets Groups Projects
Normal view Permalink
idmap.te 648 B
Newer Older
  • Learn to ignore specific revisions
    • Stephen Smalley's avatar
    Run idmap in its own domain.
    Stephen Smalley committed
    1 
    # idmap, when executed by installd
    Nick Kralevich's avatar
    remove more domain_deprecated  
    Nick Kralevich committed
    2 
    type idmap, domain;
    Stephen Smalley's avatar
    Run idmap in its own domain.
    Stephen Smalley committed
    3 4 5 6 7 8 
    type idmap_exec, exec_type, file_type;

# Use open file to /data/resource-cache file inherited from installd.
allow idmap installd:fd use;
allow idmap resourcecache_data_file:file { getattr read write };
    Joel Galenson's avatar
    Suppress denials from idmap reading installd's files.  
    Joel Galenson committed
    9 10 11 
    # Ignore reading /proc/<pid>/maps after a fork.
dontaudit idmap installd:file read;
    Stephen Smalley's avatar
    Run idmap in its own domain.
    Stephen Smalley committed
    12 13 
    # Open and read from target and overlay apk files passed by argument.
allow idmap apk_data_file:file r_file_perms;
    Mårten Kongstad's avatar
    Add service 'overlay' to service_contexts  
    Mårten Kongstad committed
    14 
    allow idmap apk_data_file:dir search;
    Sandeep Patil's avatar
    sepolicy: restrict /vendor/app from most coredomains  
    Sandeep Patil committed
    15 16 17 
    
# Allow apps access to /vendor/app
r_dir_file(idmap, vendor_app_file)
    Sandeep Patil's avatar
    sepolicy: restrict /vendor/overlay from most coredomains  
    Sandeep Patil committed
    18 19 20 
    
# Allow apps access to /vendor/overlay
r_dir_file(idmap, vendor_overlay_file)