Allow the kernel to read staging_data_file.

These are APEX files in /data/staging, and will be accessed by the loop driver in the kernel. Bug: 118865310 Test: no denials on emulator Change-Id: I5c849b6677566cb00d28011352b9dc6b787a0bc4
2019-01-16 13:52:50 +01:00 · 2019-01-16 13:52:50 +01:00 · b85acbb889
commit b85acbb889
parent e3d625b72e
2 changed files with 3 additions and 2 deletions
--- a/private/domain.te
+++ b/private/domain.te
@ -143,7 +143,7 @@ neverallow {
 # do not change between system_server staging the files and apexd processing
 # the files.
 neverallow { domain -init -system_server -apexd } staging_data_file:dir *;
-neverallow { domain -init -system_server -apexd } staging_data_file:file *;
+neverallow { domain -init -system_server -apexd -kernel } staging_data_file:file *;
 neverallow { domain -init -system_server } staging_data_file:dir no_w_dir_perms;
 # apexd needs the link permission, so list every `no_w_file_perms` except for `link`.
 neverallow { domain -init -system_server } staging_data_file:file
--- a/public/kernel.te
+++ b/public/kernel.te
@ -81,11 +81,12 @@ allow kernel media_rw_data_file:file create_file_perms;
 # Access to /data/misc/vold/virtual_disk.
 allow kernel vold_data_file:file { read write };

-# Allow the kernel to read APEX file descriptors and data files;
+# Allow the kernel to read APEX file descriptors and (staged) data files;
 # Needed because APEX uses the loopback driver, which issues requests from
 # a kernel thread in earlier kernel version.
 allow kernel apexd:fd use;
 allow kernel apex_data_file:file read;
+allow kernel staging_data_file:file read;

 # Allow the first-stage init (which is running in the kernel domain) to execute the
 # dynamic linker when it re-executes /init to switch into the second stage.