Allow vendor_overlay_file from vendor apex
Path to vendor overlays should be accessible to those processes with access to vendor_overlay_file. This is okay when overlays are under /vendor/overlay because vendor_file:dir is accessible from all domains. However, when a vendor overlay file is served from a vendor apex, then the mount point of the apex should be allowed explicitly for 'getattr' and 'search'. Bug: 285075529 Test: presubmit tests Change-Id: I393abc76ab7169b65fdee5aefd6da5ed1c6b8586
This commit is contained in:
parent
9f254ba368
commit
7c4f8a87d3
5 changed files with 11 additions and 1 deletions
|
@ -39,9 +39,11 @@ allow artd apk_data_file:file r_file_perms;
|
|||
# Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
|
||||
r_dir_file(artd, vendor_app_file)
|
||||
|
||||
# Read access to vendor overlay APKs ({/vendor,/odm,/oem}/overlay/...).
|
||||
# Read access to vendor overlay APKs ({/vendor,/odm,/oem,/apex/*}/overlay/...).
|
||||
allow artd oemfs:dir { getattr search };
|
||||
r_dir_file(artd, vendor_overlay_file)
|
||||
# Vendor overlay can be found in vendor apex
|
||||
allow artd vendor_apex_metadata_file:dir { getattr search };
|
||||
|
||||
# Read access to vendor shared libraries ({/vendor,/odm}/framework/...).
|
||||
r_dir_file(artd, vendor_framework_file)
|
||||
|
|
|
@ -12,6 +12,8 @@ allow dex2oat vendor_framework_file:dir { getattr search };
|
|||
allow dex2oat vendor_framework_file:file { getattr open read map };
|
||||
# Access /vendor/overlay
|
||||
r_dir_file(dex2oat, vendor_overlay_file);
|
||||
# Vendor overlay can be found in vendor apex
|
||||
allow dex2oat vendor_apex_metadata_file:dir { getattr search };
|
||||
|
||||
allow dex2oat tmpfs:file { read getattr map };
|
||||
|
||||
|
|
|
@ -47,6 +47,8 @@ r_dir_file(postinstall_dexopt, apk_data_file)
|
|||
r_dir_file(postinstall_dexopt, vendor_app_file)
|
||||
# Read vendor overlay files (APKs) as input to dex2oat.
|
||||
r_dir_file(postinstall_dexopt, vendor_overlay_file)
|
||||
# Vendor overlay can be found in vendor apex
|
||||
allow postinstall_dexopt vendor_apex_metadata_file:dir { getattr search };
|
||||
# Access to app oat directory.
|
||||
r_dir_file(postinstall_dexopt, dalvikcache_data_file)
|
||||
|
||||
|
|
|
@ -19,6 +19,8 @@ allow rs { app_data_file privapp_data_file }:dir remove_name;
|
|||
allow rs vendor_file:dir r_dir_perms;
|
||||
r_dir_file(rs, vendor_overlay_file)
|
||||
r_dir_file(rs, vendor_app_file)
|
||||
# Vendor overlay can be found in vendor apex
|
||||
allow rs vendor_apex_metadata_file:dir { getattr search };
|
||||
|
||||
# Read contents of app apks
|
||||
r_dir_file(rs, apk_data_file)
|
||||
|
|
|
@ -33,6 +33,8 @@ r_dir_file(installd, vendor_app_file)
|
|||
r_dir_file(installd, vendor_framework_file)
|
||||
# Scan through Runtime Resource Overlay APKs in /vendor/overlay
|
||||
r_dir_file(installd, vendor_overlay_file)
|
||||
# Vendor overlay can be found in vendor apex
|
||||
allow installd vendor_apex_metadata_file:dir { getattr search };
|
||||
# Get file context
|
||||
allow installd file_contexts_file:file r_file_perms;
|
||||
# Get seapp_context
|
||||
|
|
Loading…
Reference in a new issue