Merge "Allow priv_app to search apex_data_file and read staging_data_file" into rvc-dev

2020-04-24 21:44:40 +00:00 · 2020-04-24 21:44:40 +00:00 · 91cecb75ca
commit 91cecb75ca
parent a24d7ccd8f 89d43a51ba
2 changed files with 5 additions and 1 deletions
--- a/private/domain.te
+++ b/private/domain.te
@ -209,7 +209,7 @@ neverallow {
 # do not change between system_server staging the files and apexd processing
 # the files.
 neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename } staging_data_file:dir *;
-neverallow { domain -init -system_app -system_server -apexd -kernel -installd -iorap_inode2filename } staging_data_file:file *;
+neverallow { domain -init -system_app -system_server -apexd -kernel -installd -iorap_inode2filename -priv_app } staging_data_file:file *;
 neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
 # apexd needs the link and unlink permissions, so list every `no_w_file_perms`
 # except for `link` and `unlink`.
--- a/private/priv_app.te
+++ b/private/priv_app.te
@ -157,6 +157,10 @@ allow priv_app incremental_control_file:file { read getattr ioctl };
 # on the Incremental File System.
 allowxperm priv_app incremental_control_file:file ioctl INCFS_IOCTL_PERMIT_FILL;
 # Required for Phonesky to be able to read APEX files under /data/apex/active/.
 allow priv_app apex_data_file:dir search;
 allow priv_app staging_data_file:file r_file_perms;
 ###
 ### neverallow rules
 ###