From 4b8ece36835ac7bf61647936785510b466b8d878 Mon Sep 17 00:00:00 2001
From: Jooyung Han <jooyung@google.com>
Date: Thu, 1 Jul 2021 00:04:41 +0900
Subject: [PATCH] Allow the kernel to read shell_data_file

In ApexTestCases, a temp file in /data/local/tmp is used via a loop
device, which requires the kernel to read it.

This is only allowed in userdebug/eng.

Bug: 192259606
Test: ApexTestCases
Change-Id: Ic7d3e67a8a3e818b43b7caead9053d82cbcbccf7
---
 public/kernel.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/public/kernel.te b/public/kernel.te
index 902933d04..09d2480ea 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -95,6 +95,11 @@ allow kernel {
   staging_data_file
   vendor_apex_file
 }:file read;
+# Also allow the kernel to read /data/local/tmp files via loop device
+# for ApexTestCases
+userdebug_or_eng(`
+  allow kernel shell_data_file:file read;
+')
 
 # Allow the first-stage init (which is running in the kernel domain) to execute the
 # dynamic linker when it re-executes /init to switch into the second stage.