From 7c4f8a87d30b9e95f72bb4a9891c24b6ad276cb2 Mon Sep 17 00:00:00 2001 From: Jooyung Han Date: Fri, 9 Jun 2023 13:26:54 +0900 Subject: [PATCH] Allow vendor_overlay_file from vendor apex Path to vendor overlays should be accessible to those processes with access to vendor_overlay_file. This is okay when overlays are under /vendor/overlay because vendor_file:dir is accessible from all domains. However, when a vendor overlay file is served from a vendor apex, then the mount point of the apex should be allowed explicitly for 'getattr' and 'search'. Bug: 285075529 Test: presubmit tests Change-Id: I393abc76ab7169b65fdee5aefd6da5ed1c6b8586 --- private/artd.te | 4 +++- private/dex2oat.te | 2 ++ private/postinstall_dexopt.te | 2 ++ private/rs.te | 2 ++ public/installd.te | 2 ++ 5 files changed, 11 insertions(+), 1 deletion(-) diff --git a/private/artd.te b/private/artd.te index ef54d8c4d..5fcd43ae5 100644 --- a/private/artd.te +++ b/private/artd.te @@ -39,9 +39,11 @@ allow artd apk_data_file:file r_file_perms; # Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...). r_dir_file(artd, vendor_app_file) -# Read access to vendor overlay APKs ({/vendor,/odm,/oem}/overlay/...). +# Read access to vendor overlay APKs ({/vendor,/odm,/oem,/apex/*}/overlay/...). allow artd oemfs:dir { getattr search }; r_dir_file(artd, vendor_overlay_file) +# Vendor overlay can be found in vendor apex +allow artd vendor_apex_metadata_file:dir { getattr search }; # Read access to vendor shared libraries ({/vendor,/odm}/framework/...). r_dir_file(artd, vendor_framework_file) diff --git a/private/dex2oat.te b/private/dex2oat.te index 23f7444f7..379e32c56 100644 --- a/private/dex2oat.te +++ b/private/dex2oat.te @@ -12,6 +12,8 @@ allow dex2oat vendor_framework_file:dir { getattr search }; allow dex2oat vendor_framework_file:file { getattr open read map }; # Access /vendor/overlay r_dir_file(dex2oat, vendor_overlay_file); +# Vendor overlay can be found in vendor apex +allow dex2oat vendor_apex_metadata_file:dir { getattr search }; allow dex2oat tmpfs:file { read getattr map }; diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te index 2fdc94123..cdf403c2e 100644 --- a/private/postinstall_dexopt.te +++ b/private/postinstall_dexopt.te @@ -47,6 +47,8 @@ r_dir_file(postinstall_dexopt, apk_data_file) r_dir_file(postinstall_dexopt, vendor_app_file) # Read vendor overlay files (APKs) as input to dex2oat. r_dir_file(postinstall_dexopt, vendor_overlay_file) +# Vendor overlay can be found in vendor apex +allow postinstall_dexopt vendor_apex_metadata_file:dir { getattr search }; # Access to app oat directory. r_dir_file(postinstall_dexopt, dalvikcache_data_file) diff --git a/private/rs.te b/private/rs.te index a9b2edd5d..906373b9f 100644 --- a/private/rs.te +++ b/private/rs.te @@ -19,6 +19,8 @@ allow rs { app_data_file privapp_data_file }:dir remove_name; allow rs vendor_file:dir r_dir_perms; r_dir_file(rs, vendor_overlay_file) r_dir_file(rs, vendor_app_file) +# Vendor overlay can be found in vendor apex +allow rs vendor_apex_metadata_file:dir { getattr search }; # Read contents of app apks r_dir_file(rs, apk_data_file) diff --git a/public/installd.te b/public/installd.te index 216704d3c..88f6aabd1 100644 --- a/public/installd.te +++ b/public/installd.te @@ -33,6 +33,8 @@ r_dir_file(installd, vendor_app_file) r_dir_file(installd, vendor_framework_file) # Scan through Runtime Resource Overlay APKs in /vendor/overlay r_dir_file(installd, vendor_overlay_file) +# Vendor overlay can be found in vendor apex +allow installd vendor_apex_metadata_file:dir { getattr search }; # Get file context allow installd file_contexts_file:file r_file_perms; # Get seapp_context