allow all domain search permission for aconfig_storage_metadata_file dir

Just allow aconfig_storage_metadata_file:file read permission is not enough to read the pb file, we also need aconfig_storage_metadata_file:dir search permission. Bug: b/312459182 Test: audit2allow after having demo app access the file Change-Id: I1790ea84a56e83f43313af82378f245e2bb6597e
2024-03-19 17:50:16 +00:00 · 2024-03-19 17:50:16 +00:00 · cd560f115b
commit cd560f115b
parent 2fa70270a2
2 changed files with 3 additions and 2 deletions
--- a/private/domain.te
+++ b/private/domain.te
@ -815,5 +815,5 @@ neverallow { domain -init } kcmdlinectrl:process { dyntransition transition };
 neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *;

 # Do not allow write access to aconfig flag value files except init and aconfigd
-neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:dir *;
+neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:dir no_w_dir_perms;
 neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:file no_w_file_perms;
--- a/public/domain.te
+++ b/public/domain.te
@ -346,7 +346,8 @@ get_prop(domain, device_config_media_native_prop)
 # The boot copy of the flag value files serves flag read traffic for all processes, thus
 # needs to be readable by everybody. Also, the metadata directory will contain pb file
 # that records where flag storage files are, so also needs to be readable by everbody.
-allow domain { aconfig_storage_metadata_file }:file r_file_perms;
+allow domain aconfig_storage_metadata_file:file r_file_perms;
+allow domain aconfig_storage_metadata_file:dir r_dir_perms;

 ###
 ### neverallow rules