Allow priv_app to search apex_data_file and read staging_data_file

This changes are necessary to make files under /data/apex/active be readable by Phonesky. Test: builds Bug: 154635217 Merged-In: I14116f02f3d3f0a8390f1d968a3971f15bd4b3f2 Change-Id: I14116f02f3d3f0a8390f1d968a3971f15bd4b3f2 (cherry picked from commit 89d43a51ba)
2020-04-22 00:04:04 +01:00 · 2020-04-22 00:04:04 +01:00 · 01d4c99175
commit 01d4c99175
parent ca10be483b
2 changed files with 5 additions and 1 deletions
--- a/private/domain.te
+++ b/private/domain.te
@ -209,7 +209,7 @@ neverallow {
 # do not change between system_server staging the files and apexd processing
 # the files.
 neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename } staging_data_file:dir *;
-neverallow { domain -init -system_app -system_server -apexd -kernel -installd -iorap_inode2filename } staging_data_file:file *;
+neverallow { domain -init -system_app -system_server -apexd -kernel -installd -iorap_inode2filename -priv_app } staging_data_file:file *;
 neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
 # apexd needs the link and unlink permissions, so list every `no_w_file_perms`
 # except for `link` and `unlink`.
--- a/private/priv_app.te
+++ b/private/priv_app.te
@ -153,6 +153,10 @@ allow priv_app incremental_control_file:file { read getattr ioctl };
 # on the Incremental File System.
 allowxperm priv_app incremental_control_file:file ioctl INCFS_IOCTL_PERMIT_FILL;

+# Required for Phonesky to be able to read APEX files under /data/apex/active/.
+allow priv_app apex_data_file:dir search;
+allow priv_app staging_data_file:file r_file_perms;
+
 ###
 ### neverallow rules
 ###