Merge "allow domain search for /metadata dir" into main
This commit is contained in:
Treehugger Robot
Gerrit Code Review
commit
a6039befcf
2 changed files with 12 additions and 7 deletions
|
|
@ -208,6 +208,17 @@ allow {
|
|||
-hal_omx_server
|
||||
} {shell_exec toolbox_exec}:file rx_file_perms;
|
||||
|
||||
# Allow everyone to read from flag value boot snapshot files and general pb files
|
||||
# The boot copy of the flag value files serves flag read traffic for all processes, thus
|
||||
# needs to be readable by everybody. Also, the metadata directory will contain pb file
|
||||
# that records where flag storage files are, so also needs to be readable by everbody.
|
||||
allow domain aconfig_storage_metadata_file:file r_file_perms;
|
||||
allow domain aconfig_storage_metadata_file:dir r_dir_perms;
|
||||
|
||||
# processes needs to access storage file stored at /metadata/aconfig/boot, require search
|
||||
# permission on /metadata dir
|
||||
allow domain metadata_file:dir search;
|
||||
|
||||
# No domains other than a select few can access the misc_block_device. This
|
||||
# block device is reserved for OTA use.
|
||||
# Do not assert this rule on userdebug/eng builds, due to some devices using
|
||||
|
|
@ -817,3 +828,4 @@ neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file
|
|||
# Do not allow write access to aconfig flag value files except init and aconfigd
|
||||
neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:dir no_w_dir_perms;
|
||||
neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:file no_w_file_perms;
|
||||
|
||||
|
|
|
|||
|
|
@ -342,13 +342,6 @@ allow domain apex_mnt_dir:lnk_file r_file_perms;
|
|||
# configured using server-configurable flags
|
||||
get_prop(domain, device_config_media_native_prop)
|
||||
|
||||
# Allow everyone to read from flag value boot snapshot files and general pb files
|
||||
# The boot copy of the flag value files serves flag read traffic for all processes, thus
|
||||
# needs to be readable by everybody. Also, the metadata directory will contain pb file
|
||||
# that records where flag storage files are, so also needs to be readable by everbody.
|
||||
allow domain aconfig_storage_metadata_file:file r_file_perms;
|
||||
allow domain aconfig_storage_metadata_file:dir r_dir_perms;
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
|
|
|||
Loading…
Reference in a new issue