Allow zygote to canonicalize vendor apex paths.

Bug: 199200417 Test: Build cuttlefish with an 'android'-targeting RRO in a vendor APEX. Observe no SELinux errors. Change-Id: I4c73cb6d98b70282e10354d2596b261bd7c409db
author: Daniel Norman <danielnorman@google.com> 2021-10-15 12:30:49 -0700
committer: Daniel Norman <danielnorman@google.com> 2021-10-18 16:25:14 +0000
commit: cf2499a0ba5c9ff8d6167b84394b6071d368222e (patch)
tree: 221140ddb2b1a3647734eb36dfda6c5c6f0fd0f1
parent: 7609e175c53e817dfe452d7fa4226f83425f4c84 (diff)
download: platform_system_sepolicy-cf2499a0ba5c9ff8d6167b84394b6071d368222e.tar.gz
platform_system_sepolicy-cf2499a0ba5c9ff8d6167b84394b6071d368222e.tar.bz2
platform_system_sepolicy-cf2499a0ba5c9ff8d6167b84394b6071d368222e.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/private/zygote.te b/private/zygote.te
index f2af506976..8e2b15a83e 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -230,6 +230,11 @@ get_prop(zygote, qemu_sf_lcd_density_prop)
 # Allow zygote to read /apex/apex-info-list.xml
 allow zygote apex_info_file:file r_file_perms;
 
+# Allow zygote to canonicalize vendor APEX paths. This is used when zygote is checking the
+# preinstalled path of APEXes that contain runtime resource overlays for the 'android' package.
+allow zygote vendor_apex_file:dir { getattr search };
+allow zygote vendor_apex_file:file { getattr };
+
 ###
 ### neverallow rules
 ###
author	Daniel Norman <danielnorman@google.com>	2021-10-15 12:30:49 -0700
committer	Daniel Norman <danielnorman@google.com>	2021-10-18 16:25:14 +0000
commit	cf2499a0ba5c9ff8d6167b84394b6071d368222e (patch)
tree	221140ddb2b1a3647734eb36dfda6c5c6f0fd0f1
parent	7609e175c53e817dfe452d7fa4226f83425f4c84 (diff)
download	platform_system_sepolicy-cf2499a0ba5c9ff8d6167b84394b6071d368222e.tar.gz platform_system_sepolicy-cf2499a0ba5c9ff8d6167b84394b6071d368222e.tar.bz2 platform_system_sepolicy-cf2499a0ba5c9ff8d6167b84394b6071d368222e.zip