# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
# Technically not a daemon but we do want the transition from init domain to
# asan_extract to occur.
with_asan(`
  typeattribute asan_extract coredomain;
  init_daemon_domain(asan_extract)

  # We need to signal a reboot when done.
  set_prop(asan_extract, powerctl_prop)

  # Allow asan_extract to execute itself using #!/system/bin/sh
  allow asan_extract shell_exec:file rx_file_perms;

  # We execute log, rm, gzip and tar.
  allow asan_extract toolbox_exec:file rx_file_perms;
  allow asan_extract system_file:file execute_no_trans;

  # asan_extract deletes old /data/lib.
  allow asan_extract system_file:dir { open read remove_name rmdir write };
  allow asan_extract system_file:file unlink;

  # asan_extract untars ASAN libraries into /data.
  allow asan_extract system_data_file:dir create_dir_perms ;
  allow asan_extract system_data_file:{ file lnk_file } create_file_perms ;

  # Relabel the libraries with restorecon.
  allow asan_extract file_contexts_file:file r_file_perms;
  allow asan_extract system_data_file:{ dir file } relabelfrom;
  allow asan_extract system_file:dir { relabelto setattr };
  allow asan_extract system_file:file relabelto;

  # Restorecon will actually already try to run with sanitized libraries (libpackagelistparser).
  allow asan_extract system_data_file:file execute;
')