Merge "Let apps read tombstones given to them."

2021-02-18 08:40:57 +00:00 · 2021-02-18 08:40:57 +00:00 · b4a8306599
commit b4a8306599
parent 4bda81af5d ce1c4a54ae
1 changed files with 5 additions and 0 deletions
--- a/private/app.te
+++ b/private/app.te
@ -74,6 +74,11 @@ allow appdomain apex_art_data_file:file r_file_perms;
 # Allow APFE device info to read Virtual A/B props.
 get_prop(appdomain, virtual_ab_prop)

+# Allow access to tombstones if an fd to one is given to you.
+# This is restricted by unix permissions, so an app must go through system_server to get one.
+allow appdomain tombstone_data_file:file { getattr read };
+neverallow appdomain tombstone_data_file:file ~{ getattr read };
+
 # Sensitive app domains are not allowed to execute from /data
 # to prevent persistence attacks and ensure all code is executed
 # from read-only locations.