Skip to content
Snippets Groups Projects
Select Git revision
  • android-7.1.2_r28_klist
  • master default protected
  • pie-cts-release
  • pie-vts-release
  • pie-cts-dev
  • oreo-mr1-iot-release
  • sdk-release
  • oreo-m6-s4-release
  • oreo-m4-s12-release
  • pie-release
  • pie-r2-release
  • pie-r2-s1-release
  • oreo-vts-release
  • oreo-cts-release
  • oreo-dev
  • oreo-mr1-dev
  • pie-gsi
  • pie-platform-release
  • pie-dev
  • oreo-cts-dev
  • android-o-mr1-iot-release-1.0.4
  • android-9.0.0_r8
  • android-9.0.0_r7
  • android-9.0.0_r6
  • android-9.0.0_r5
  • android-8.1.0_r46
  • android-8.1.0_r45
  • android-n-iot-release-smart-display-r2
  • android-vts-8.1_r5
  • android-cts-8.1_r8
  • android-cts-8.0_r12
  • android-cts-7.1_r20
  • android-cts-7.0_r24
  • android-o-mr1-iot-release-1.0.3
  • android-cts-9.0_r1
  • android-8.1.0_r43
  • android-8.1.0_r42
  • android-n-iot-release-smart-display
  • android-p-preview-5
  • android-9.0.0_r3
40 results
Blame Permalink
  • dcashman's avatar
    cc39f637
    Split general policy into public and private components. · cc39f637
    dcashman authored 
    Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
    cc39f637
    History
    Split general policy into public and private components.
    dcashman authored 
    Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
otapreopt_slot.te 1.12 KiB 
# otapreopt_slot
#
# This command set moves the artifact corresponding to the current slot
# from /data/ota to /data/dalvik-cache.

type otapreopt_slot, domain, mlstrustedsubject;
type otapreopt_slot_exec, exec_type, file_type;


# The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up
# the directory afterwards. For logging of aggregate size, we need getattr.
allow otapreopt_slot ota_data_file:dir { rw_dir_perms rename reparent rmdir };
allow otapreopt_slot ota_data_file:file { getattr };

# Delete old content of the dalvik-cache.
allow otapreopt_slot dalvikcache_data_file:dir { add_name getattr open read remove_name rmdir search write };
allow otapreopt_slot dalvikcache_data_file:file { getattr unlink };
allow otapreopt_slot dalvikcache_data_file:lnk_file { getattr read unlink };

# Allow cppreopts to execute itself using #!/system/bin/sh
allow otapreopt_slot shell_exec:file rx_file_perms;

# Allow running the mv and rm/rmdir commands using otapreopt_slot  permissions.
# Needed so we can move artifacts into /data/dalvik-cache/dalvik-cache.
allow otapreopt_slot toolbox_exec:file rx_file_perms;