1 # The tzdatacheck command run by init. 2 type tzdatacheck, domain; 3 type tzdatacheck_exec, exec_type, file_type; 4 5 allow tzdatacheck zoneinfo_data_file:dir create_dir_perms; 6 allow tzdatacheck zoneinfo_data_file:file unlink; 7 8 # Below are strong assertion that only init, system_server and tzdatacheck 9 # can modify the /data time zone rules directories. This is to make it very 10 # clear that only these domains should modify the actual time zone rules data. 11 # The tzdatacheck binary itself may be executed by shell for tests but it must 12 # not be able to modify the real rules. 13 # If other users / binaries could modify time zone rules on device this might 14 # have negative implications for users (who may get incorrect local times) 15 # or break assumptions made / invalidate data held by the components actually 16 # responsible for updating time zone rules. 17 neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:file no_w_file_perms; 18 neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:dir no_w_dir_perms; 19
