Allow shell to read updated APEXes am: 5490752cfc am: 4c79e09417

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1998997 Change-Id: Ic33970b0feecbedca22299078c3c1b1166a54803
2022-02-25 15:29:47 +00:00 · 2022-02-25 15:29:47 +00:00 · 43d0092a86
commit 43d0092a86
parent 229fab8540 4c79e09417
2 changed files with 5 additions and 0 deletions
--- a/private/domain.te
+++ b/private/domain.te
@ -245,6 +245,7 @@ neverallow {
  -installd
  -iorap_inode2filename
  -priv_app
+  -shell
  -virtualizationservice
  -crosvm
 } staging_data_file:file *;
--- a/private/shell.te
+++ b/private/shell.te
@ -130,6 +130,10 @@ allow shell apex_info_file:file r_file_perms;
 allow shell vendor_apex_file:file r_file_perms;
 allow shell vendor_apex_file:dir r_dir_perms;

+# Allow shell to read updated APEXes under /data/apex
+allow shell apex_data_file:dir search;
+allow shell staging_data_file:file r_file_perms;
+
 # Set properties.
 set_prop(shell, shell_prop)
 set_prop(shell, ctl_bugreport_prop)