gmscore_app: shell_data_file permissions

This also adds an auditallow to the same rule for priv_app, so we can
delete it once no logs show up in go/sedenials for this rule
triggerring.

Bug: 142672293
Test: TH
Change-Id: I554e0cb00a53fd254c450c20e6c632e58472c3c8
This commit is contained in:
Ashwini Oruganti 2019-12-17 15:09:30 -08:00
parent a8ca12d1c0
commit f31e862cac
2 changed files with 10 additions and 0 deletions

View file

@ -118,3 +118,8 @@ allow gmscore_app shell_data_file:dir r_dir_perms;
allow gmscore_app ota_package_file:dir rw_dir_perms;
allow gmscore_app ota_package_file:file create_file_perms;
# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".
allow gmscore_app shell_data_file:file r_file_perms;
allow gmscore_app shell_data_file:dir r_dir_perms;

View file

@ -80,6 +80,11 @@ allow priv_app media_rw_data_file:file create_file_perms;
# running "adb install foo.apk".
allow priv_app shell_data_file:file r_file_perms;
allow priv_app shell_data_file:dir r_dir_perms;
# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
userdebug_or_eng(`
auditallow priv_app shell_data_file:file r_file_perms;
auditallow priv_app shell_data_file:dir r_dir_perms;
')
# Allow traceur to pass file descriptors through a content provider to betterbug
allow priv_app trace_data_file:file { getattr read };