| type cros_os_install_service, domain, chromeos_domain; |
| |
| domain_auto_trans_nnp(minijail, cros_os_install_service_exec, cros_os_install_service) |
| |
| log_writer(cros_os_install_service) |
| cros_dbus_client(cros_os_install_service) |
| |
| allow cros_os_install_service proc_cmdline:file r_file_perms; |
| |
| allow cros_os_install_service minijail:fifo_file r_file_perms; |
| allow cros_os_install_service minijail:fd use; |
| |
| # For checking the variable that triggers autoinstall. |
| r_dir_file(cros_os_install_service, efivarfs); |
| |
| filetrans_pattern(cros_os_install_service, cros_var_log_os_install_service, cros_var_log_os_install_service, file) |
| allow cros_os_install_service cros_var_log_os_install_service:file rw_file_perms; |
| |
| # Allow running chromeos-install |
| allow cros_os_install_service sh_exec:file rx_file_perms; |
| |
| # Allow mounting and unmounting the target stateful partition to copy the install log, these rules are needed only for Reven |
| no_arc(` |
| allow cros_os_install_service cros_os_install_service:capability sys_admin; |
| allow cros_os_install_service kernel:process setsched; |
| allow cros_os_install_service labeledfs:filesystem { mount unmount }; |
| # Create type for access to /tmp/, for copying the log to the new root. |
| tmp_file(cros_os_install_service, { dir file }); |
| # Allow mounting the new root, creating a dir, and to copying the log over. |
| allow cros_os_install_service cros_os_install_service_tmp_file:dir { mounton create_dir_perms}; |
| # Label our log file and allow access. |
| filetrans_pattern(cros_os_install_service, unlabeled, cros_os_install_service_tmp_file, file, "flex-install.log"); |
| allow cros_os_install_service cros_os_install_service_tmp_file:file { create_file_perms}; |
| ') |