tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

gmscore_app: shell_data_file permissions

Browse source 
This also adds an auditallow to the same rule for priv_app, so we can
delete it once no logs show up in go/sedenials for this rule
triggerring.

Bug: 142672293
Test: TH
Change-Id: I554e0cb00a53fd254c450c20e6c632e58472c3c8
This commit is contained in:
Ashwini Oruganti 2019-12-17 15:09:30 -08:00
parent a8ca12d1c0
commit f31e862cac
2 changed files with 10 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
private/gmscore_app.te
View file

@ -118,3 +118,8 @@ allow gmscore_app shell_data_file:dir r_dir_perms;
allow gmscore_app ota_package_file:dir rw_dir_perms; allow gmscore_app ota_package_file:dir rw_dir_perms;
allow gmscore_app ota_package_file:file create_file_perms; allow gmscore_app ota_package_file:file create_file_perms;
# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".
allow gmscore_app shell_data_file:file r_file_perms;
allow gmscore_app shell_data_file:dir r_dir_perms;

5
private/priv_app.te
View file

@ -80,6 +80,11 @@ allow priv_app media_rw_data_file:file create_file_perms;
# running "adb install foo.apk". # running "adb install foo.apk".
allow priv_app shell_data_file:file r_file_perms; allow priv_app shell_data_file:file r_file_perms;
allow priv_app shell_data_file:dir r_dir_perms; allow priv_app shell_data_file:dir r_dir_perms;
# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
userdebug_or_eng(`
auditallow priv_app shell_data_file:file r_file_perms;
auditallow priv_app shell_data_file:dir r_dir_perms;
')
# Allow traceur to pass file descriptors through a content provider to betterbug # Allow traceur to pass file descriptors through a content provider to betterbug
allow priv_app trace_data_file:file { getattr read }; allow priv_app trace_data_file:file { getattr read };