From 662d5e68f1c464516d22831c9f139cd0a2807cd9 Mon Sep 17 00:00:00 2001 From: Dennis Shen Date: Tue, 12 Mar 2024 16:50:22 +0000 Subject: [PATCH] allow system server to search into /metadata/aconfig dir Bug: b/312459182 Test: m Change-Id: I44a2113b53b23a47d30460d0e7120bbeceb3ecbf --- private/domain.te | 4 ++-- private/system_server.te | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/private/domain.te b/private/domain.te index 4692eda87..8dd8c8983 100644 --- a/private/domain.te +++ b/private/domain.te @@ -813,5 +813,5 @@ neverallow { domain -init } kcmdlinectrl:process { dyntransition transition }; neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *; # Do not allow write access to aconfig flag value files except init and aconfigd -neverallow { domain -init -aconfigd } aconfig_storage_metadata_file:dir *; -neverallow { domain -init -aconfigd } aconfig_storage_metadata_file:file no_w_file_perms; +neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:dir *; +neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:file no_w_file_perms; diff --git a/private/system_server.te b/private/system_server.te index 886499e07..c2c30aee8 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -1470,6 +1470,7 @@ allow system_server watchdog_metadata_file:file create_file_perms; allow system_server aconfig_storage_flags_metadata_file:dir rw_dir_perms; allow system_server aconfig_storage_flags_metadata_file:file create_file_perms; +allow system_server aconfig_storage_metadata_file:dir search; allow system_server repair_mode_metadata_file:dir rw_dir_perms; allow system_server repair_mode_metadata_file:file create_file_perms;