diff options
author | Todd Kennedy <toddke@google.com> | 2019-06-24 16:02:51 -0700 |
---|---|---|
committer | Andrew Sapperstein <asapperstein@google.com> | 2019-06-27 11:32:49 -0700 |
commit | 9067699d9dc6a297e31fab9297576f83fe3dbd9d (patch) | |
tree | 0e607bcb90c0c7e4d2b4e3f6f523fd2492fd787c | |
parent | 72a75ffe193be6bbc9deb4f8370a2193cda49167 (diff) | |
download | android_system_sepolicy-9067699d9dc6a297e31fab9297576f83fe3dbd9d.tar.gz android_system_sepolicy-9067699d9dc6a297e31fab9297576f83fe3dbd9d.tar.bz2 android_system_sepolicy-9067699d9dc6a297e31fab9297576f83fe3dbd9d.zip |
Allow rule to let settings access apex files
In order to show licensing information, we need to read it from
an asset stored in the .apex file.
Bug: 135183006
Test: Manual; settings can access apex files stored on /data
Change-Id: I71fbde6e295d9c890c9b9b0449e5150834a6680e
Merged-In: I71fbde6e295d9c890c9b9b0449e5150834a6680e
-rw-r--r-- | prebuilts/api/29.0/private/domain.te | 2 | ||||
-rw-r--r-- | prebuilts/api/29.0/private/system_app.te | 6 | ||||
-rw-r--r-- | prebuilts/api/29.0/private/system_server.te | 2 | ||||
-rw-r--r-- | private/domain.te | 2 | ||||
-rw-r--r-- | private/system_app.te | 6 | ||||
-rw-r--r-- | private/system_server.te | 2 |
6 files changed, 16 insertions, 4 deletions
diff --git a/prebuilts/api/29.0/private/domain.te b/prebuilts/api/29.0/private/domain.te index 3265faf7..209eeb0d 100644 --- a/prebuilts/api/29.0/private/domain.te +++ b/prebuilts/api/29.0/private/domain.te @@ -169,7 +169,7 @@ neverallow { # do not change between system_server staging the files and apexd processing # the files. neverallow { domain -init -system_server -apexd -installd} staging_data_file:dir *; -neverallow { domain -init -system_server -apexd -kernel -installd } staging_data_file:file *; +neverallow { domain -init -system_app -system_server -apexd -kernel -installd } staging_data_file:file *; neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms; # apexd needs the link and unlink permissions, so list every `no_w_file_perms` # except for `link` and `unlink`. diff --git a/prebuilts/api/29.0/private/system_app.te b/prebuilts/api/29.0/private/system_app.te index e8627151..9ed1d365 100644 --- a/prebuilts/api/29.0/private/system_app.te +++ b/prebuilts/api/29.0/private/system_app.te @@ -24,6 +24,12 @@ allow system_app misc_user_data_file:file create_file_perms; # Access to vold-mounted storage for measuring free space allow system_app mnt_media_rw_file:dir search; +# Access to apex files stored on /data (b/136063500) +# Needed so that Settings can access NOTICE files inside apex +# files located in the assets/ directory. +allow system_app apex_data_file:dir search; +allow system_app staging_data_file:file r_file_perms; + # Read wallpaper file. allow system_app wallpaper_file:file r_file_perms; diff --git a/prebuilts/api/29.0/private/system_server.te b/prebuilts/api/29.0/private/system_server.te index bc47e916..5bec849c 100644 --- a/prebuilts/api/29.0/private/system_server.te +++ b/prebuilts/api/29.0/private/system_server.te @@ -1011,7 +1011,7 @@ wakelock_use(system_server) # needs these privileges to compare file signatures while processing installs. # # Only apexd is allowed to create new entries or write to any file under /data/apex. -allow system_server apex_data_file:dir search; +allow system_server apex_data_file:dir { getattr search }; allow system_server apex_data_file:file r_file_perms; # Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can diff --git a/private/domain.te b/private/domain.te index 3265faf7..209eeb0d 100644 --- a/private/domain.te +++ b/private/domain.te @@ -169,7 +169,7 @@ neverallow { # do not change between system_server staging the files and apexd processing # the files. neverallow { domain -init -system_server -apexd -installd} staging_data_file:dir *; -neverallow { domain -init -system_server -apexd -kernel -installd } staging_data_file:file *; +neverallow { domain -init -system_app -system_server -apexd -kernel -installd } staging_data_file:file *; neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms; # apexd needs the link and unlink permissions, so list every `no_w_file_perms` # except for `link` and `unlink`. diff --git a/private/system_app.te b/private/system_app.te index e8627151..9ed1d365 100644 --- a/private/system_app.te +++ b/private/system_app.te @@ -24,6 +24,12 @@ allow system_app misc_user_data_file:file create_file_perms; # Access to vold-mounted storage for measuring free space allow system_app mnt_media_rw_file:dir search; +# Access to apex files stored on /data (b/136063500) +# Needed so that Settings can access NOTICE files inside apex +# files located in the assets/ directory. +allow system_app apex_data_file:dir search; +allow system_app staging_data_file:file r_file_perms; + # Read wallpaper file. allow system_app wallpaper_file:file r_file_perms; diff --git a/private/system_server.te b/private/system_server.te index bc47e916..5bec849c 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -1011,7 +1011,7 @@ wakelock_use(system_server) # needs these privileges to compare file signatures while processing installs. # # Only apexd is allowed to create new entries or write to any file under /data/apex. -allow system_server apex_data_file:dir search; +allow system_server apex_data_file:dir { getattr search }; allow system_server apex_data_file:file r_file_perms; # Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can |