# This command set checks the integrity of boot classpath ART
|
# artifacts in /data, potentially removing them.
|
|
type art_apex_boot_integrity, domain, coredomain;
|
type art_apex_boot_integrity_exec, system_file_type, exec_type, file_type;
|
|
# Technically not a daemon but we do want the transition from init domain to
|
# art_apex_boot_integrity to occur.
|
init_daemon_domain(art_apex_boot_integrity)
|
|
# Read dalvik cache directories, remove entries.
|
allow art_apex_boot_integrity dalvikcache_data_file:dir { r_dir_perms write remove_name };
|
# Read and possibly delete dalvik cache files.
|
allow art_apex_boot_integrity dalvikcache_data_file:file { r_file_perms unlink };
|
|
# Allow art_apex_boot_integrity to execute itself using #!/system/bin/sh
|
allow art_apex_boot_integrity shell_exec:file rx_file_perms;
|
|
# Allow running the mv and rm/rmdir commands using art_apex_boot_integrity
|
# permissions.
|
allow art_apex_boot_integrity toolbox_exec:file rx_file_perms;
|
|
# Fsverity in the same domain.
|
allow art_apex_boot_integrity system_file:file execute_no_trans;
|
# Fsverity work.
|
allowxperm art_apex_boot_integrity dalvikcache_data_file:file ioctl {
|
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
|
};
|
