1# type_transition must be private policy the domain_trans rules could stay 2# public, but conceptually should go with this 3# Technically not a daemon but we do want the transition from init domain to 4# asan_extract to occur. 5with_asan(` 6 typeattribute asan_extract coredomain; 7 init_daemon_domain(asan_extract) 8 9 # We need to signal a reboot when done. 10 set_prop(asan_extract, powerctl_prop) 11 12 # Allow asan_extract to execute itself using #!/system/bin/sh 13 allow asan_extract shell_exec:file rx_file_perms; 14 15 # We execute log, rm, gzip and tar. 16 allow asan_extract toolbox_exec:file rx_file_perms; 17 allow asan_extract system_file:file execute_no_trans; 18 19 # asan_extract deletes old /data/lib. 20 allow asan_extract system_file:dir { open read remove_name rmdir write }; 21 allow asan_extract system_file:file unlink; 22 23 # asan_extract untars ASAN libraries into /data. 24 allow asan_extract system_data_file:dir create_dir_perms ; 25 allow asan_extract system_data_file:{ file lnk_file } create_file_perms ; 26 27 # Relabel the libraries with restorecon. 28 allow asan_extract file_contexts_file:file r_file_perms; 29 allow asan_extract system_data_file:{ dir file } relabelfrom; 30 allow asan_extract system_file:dir { relabelto setattr }; 31 allow asan_extract system_file:file relabelto; 32 33 # Restorecon will actually already try to run with sanitized libraries (libpackagelistparser). 34 allow asan_extract system_data_file:file execute; 35') 36