Allow vendor_overlay_file from vendor apex

Path to vendor overlays should be accessible to those processes with access to vendor_overlay_file. This is okay when overlays are under /vendor/overlay because vendor_file:dir is accessible from all domains. However, when a vendor overlay file is served from a vendor apex, then the mount point of the apex should be allowed explicitly for 'getattr' and 'search'. Bug: 285075529 Test: presubmit tests Change-Id: I393abc76ab7169b65fdee5aefd6da5ed1c6b8586
2023-06-09 13:26:54 +09:00 · 2023-06-09 13:26:54 +09:00 · 7c4f8a87d3
commit 7c4f8a87d3
parent 9f254ba368
5 changed files with 11 additions and 1 deletions
--- a/private/artd.te
+++ b/private/artd.te
@ -39,9 +39,11 @@ allow artd apk_data_file:file r_file_perms;
 # Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
 r_dir_file(artd, vendor_app_file)

-# Read access to vendor overlay APKs ({/vendor,/odm,/oem}/overlay/...).
+# Read access to vendor overlay APKs ({/vendor,/odm,/oem,/apex/*}/overlay/...).
 allow artd oemfs:dir { getattr search };
 r_dir_file(artd, vendor_overlay_file)
+# Vendor overlay can be found in vendor apex
+allow artd vendor_apex_metadata_file:dir { getattr search };

 # Read access to vendor shared libraries ({/vendor,/odm}/framework/...).
 r_dir_file(artd, vendor_framework_file)
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@ -12,6 +12,8 @@ allow dex2oat vendor_framework_file:dir { getattr search };
 allow dex2oat vendor_framework_file:file { getattr open read map };
 # Access /vendor/overlay
 r_dir_file(dex2oat, vendor_overlay_file);
+# Vendor overlay can be found in vendor apex
+allow dex2oat vendor_apex_metadata_file:dir { getattr search };

 allow dex2oat tmpfs:file { read getattr map };

--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@ -47,6 +47,8 @@ r_dir_file(postinstall_dexopt, apk_data_file)
 r_dir_file(postinstall_dexopt, vendor_app_file)
 # Read vendor overlay files (APKs) as input to dex2oat.
 r_dir_file(postinstall_dexopt, vendor_overlay_file)
+# Vendor overlay can be found in vendor apex
+allow postinstall_dexopt vendor_apex_metadata_file:dir { getattr search };
 # Access to app oat directory.
 r_dir_file(postinstall_dexopt, dalvikcache_data_file)

--- a/private/rs.te
+++ b/private/rs.te
@ -19,6 +19,8 @@ allow rs { app_data_file privapp_data_file }:dir remove_name;
 allow rs vendor_file:dir r_dir_perms;
 r_dir_file(rs, vendor_overlay_file)
 r_dir_file(rs, vendor_app_file)
+# Vendor overlay can be found in vendor apex
+allow rs vendor_apex_metadata_file:dir { getattr search };

 # Read contents of app apks
 r_dir_file(rs, apk_data_file)
--- a/public/installd.te
+++ b/public/installd.te
@ -33,6 +33,8 @@ r_dir_file(installd, vendor_app_file)
 r_dir_file(installd, vendor_framework_file)
 # Scan through Runtime Resource Overlay APKs in /vendor/overlay
 r_dir_file(installd, vendor_overlay_file)
+# Vendor overlay can be found in vendor apex
+allow installd vendor_apex_metadata_file:dir { getattr search };
 # Get file context
 allow installd file_contexts_file:file r_file_perms;
 # Get seapp_context