Merge "selinux: allow everybody to read flags from RO flag storage file" into main am: 0467d14618

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3112421 Change-Id: I948458b771e030fb4b7ef31f5a5c38a854f7db2f Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-06-04 17:22:58 +00:00 · 2024-06-04 17:22:58 +00:00 · 1f2eea0c7a
commit 1f2eea0c7a
parent 23ce6a536b 0467d14618
1 changed files with 5 additions and 5 deletions
--- a/private/domain.te
+++ b/private/domain.te
@ -570,11 +570,11 @@ allow {
  -hal_omx_server
 } {shell_exec toolbox_exec}:file rx_file_perms;

-# Allow all (except vendor) to read from flag value boot snapshot files and general pb files
-# The boot copy of the flag value files serves flag read traffic for all processes, thus
-# needs to be readable by everybody. Also, the metadata directory will contain pb file
-# that records where flag storage files are, so also needs to be readable by everbody.
-r_dir_file({ coredomain appdomain }, aconfig_storage_metadata_file);
+# Allow all to read from flag value boot snapshot storage files and general pb files
+# The boot snapshot of storage files serves flag read traffic for all processes, thus
+# needs to be readable by everybody.
+r_dir_file(domain, aconfig_storage_metadata_file);
+
 r_dir_file({ coredomain appdomain }, system_aconfig_storage_file);
 r_dir_file({ coredomain appdomain }, aconfig_test_mission_files);