Merge "gmscore_app: shell_data_file permissions" am: cc5cf1c125 am: ab401c4ecd am: d7ab5f7e7e

Change-Id: I110c1778931ff774cf20f3ed8e1d0a9adfa63dd7
2019-12-18 03:27:46 +00:00 · 2019-12-18 03:27:46 +00:00 · 46c1585530
commit 46c1585530
parent 3b97a0beda d7ab5f7e7e
2 changed files with 10 additions and 0 deletions
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@ -118,3 +118,8 @@ allow gmscore_app shell_data_file:dir r_dir_perms;
 allow gmscore_app ota_package_file:dir rw_dir_perms;
 allow gmscore_app ota_package_file:file create_file_perms;

+# Used by Finsky / Android "Verify Apps" functionality when
+# running "adb install foo.apk".
+allow gmscore_app shell_data_file:file r_file_perms;
+allow gmscore_app shell_data_file:dir r_dir_perms;
+
--- a/private/priv_app.te
+++ b/private/priv_app.te
@ -80,6 +80,11 @@ allow priv_app media_rw_data_file:file create_file_perms;
 # running "adb install foo.apk".
 allow priv_app shell_data_file:file r_file_perms;
 allow priv_app shell_data_file:dir r_dir_perms;
+# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+  auditallow priv_app shell_data_file:file r_file_perms;
+  auditallow priv_app shell_data_file:dir r_dir_perms;
+')

 # Allow traceur to pass file descriptors through a content provider to betterbug
 allow priv_app trace_data_file:file { getattr read };