1# This command set checks the integrity of boot classpath ART 2# artifacts in /data, potentially removing them. 3 4type art_apex_boot_integrity, domain, coredomain; 5type art_apex_boot_integrity_exec, system_file_type, exec_type, file_type; 6 7# Technically not a daemon but we do want the transition from init domain to 8# art_apex_boot_integrity to occur. 9init_daemon_domain(art_apex_boot_integrity) 10 11# Read dalvik cache directories, remove entries. 12allow art_apex_boot_integrity dalvikcache_data_file:dir { r_dir_perms write remove_name }; 13# Read and possibly delete dalvik cache files. 14allow art_apex_boot_integrity dalvikcache_data_file:file { r_file_perms unlink }; 15 16# Allow art_apex_boot_integrity to execute itself using #!/system/bin/sh 17allow art_apex_boot_integrity shell_exec:file rx_file_perms; 18 19# Allow running the mv and rm/rmdir commands using art_apex_boot_integrity 20# permissions. 21allow art_apex_boot_integrity toolbox_exec:file rx_file_perms; 22 23# Fsverity in the same domain. 24allow art_apex_boot_integrity system_file:file execute_no_trans; 25# Fsverity work. 26allowxperm art_apex_boot_integrity dalvikcache_data_file:file ioctl { 27 FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY 28}; 29