commit 0b2553a32b62a1c2948801b158570eb8c139311d
author Alexander Dorokhine <adorokhine@google.com> Wed May 26 09:47:19 2021 -0700
committer Alexander Dorokhine <adorokhine@google.com> Wed May 26 09:47:19 2021 -0700
tree fe4035760e66d114f0be47e8f077aaf6891c3931
parent 3040e15baa1bba5413c5c5d3263e01fd82b81d96

Allow the appsearch apex access to the apexdata misc_ce dir.

Bug: 177685938
Test: AppSearchSessionCtsTest
Change-Id: I727860a02cb9e612ce6c322662d418cddc2ff358

private/apexd.te

diff --git a/private/apexd.te b/private/apexd.te
index 48fbcb8..b6fff92 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -18,6 +18,8 @@
 allow apexd apex_ota_reserved_file:file create_file_perms;
 
 # Allow apexd to create files and directories for snapshots of apex data
+allow apexd apex_appsearch_data_file:dir { create_dir_perms relabelto };
+allow apexd apex_appsearch_data_file:file { create_file_perms relabelto };
 allow apexd apex_art_data_file:dir { create_dir_perms relabelto };
 allow apexd apex_art_data_file:file { create_file_perms relabelto };
 allow apexd apex_permission_data_file:dir { create_dir_perms relabelto };

private/compat/30.0/30.0.ignore.cil

diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 3464484..6e66493 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -8,6 +8,7 @@
     ab_update_gki_prop
     adbd_config_prop
     apc_service
+    apex_appsearch_data_file
     apex_art_data_file
     apex_art_staging_data_file
     apex_info_file

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index 60a94b3..89b63d6 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -565,12 +565,12 @@
 
 # Misc data
 /data/misc/adb(/.*)?            u:object_r:adb_keys_file:s0
-/data/misc/a11ytrace(/.*)?        u:object_r:accessibility_trace_data_file:s0
+/data/misc/a11ytrace(/.*)?      u:object_r:accessibility_trace_data_file:s0
 /data/misc/apexdata(/.*)?       u:object_r:apex_module_data_file:s0
-/data/misc/apexdata/com\.android\.art(/.*)?    u:object_r:apex_art_data_file:s0
+/data/misc/apexdata/com\.android\.art(/.*)?           u:object_r:apex_art_data_file:s0
 /data/misc/apexdata/com\.android\.permission(/.*)?    u:object_r:apex_permission_data_file:s0
 /data/misc/apexdata/com\.android\.scheduling(/.*)?    u:object_r:apex_scheduling_data_file:s0
-/data/misc/apexdata/com\.android\.wifi(/.*)?    u:object_r:apex_wifi_data_file:s0
+/data/misc/apexdata/com\.android\.wifi(/.*)?          u:object_r:apex_wifi_data_file:s0
 /data/misc/apexrollback(/.*)?   u:object_r:apex_rollback_data_file:s0
 /data/misc/apns(/.*)?           u:object_r:radio_data_file:s0
 /data/misc/appcompat(/.*)?      u:object_r:appcompat_data_file:s0
@@ -672,6 +672,7 @@
 # Apex data directories
 /data/misc_de/[0-9]+/apexdata(/.*)?       u:object_r:apex_module_data_file:s0
 /data/misc_ce/[0-9]+/apexdata(/.*)?       u:object_r:apex_module_data_file:s0
+/data/misc_ce/[0-9]+/apexdata/com\.android\.appsearch(/.*)?   u:object_r:apex_appsearch_data_file:s0
 /data/misc_de/[0-9]+/apexdata/com\.android\.permission(/.*)?  u:object_r:apex_permission_data_file:s0
 /data/misc_ce/[0-9]+/apexdata/com\.android\.permission(/.*)?  u:object_r:apex_permission_data_file:s0
 /data/misc_de/[0-9]+/apexdata/com\.android\.wifi(/.*)?  u:object_r:apex_wifi_data_file:s0

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index c9f3f8e..9dd4b1b 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1259,6 +1259,8 @@
 
 # Allow the system server to manage relevant apex module data files.
 allow system_server apex_module_data_file:dir { getattr search };
+allow system_server apex_appsearch_data_file:dir create_dir_perms;
+allow system_server apex_appsearch_data_file:file create_file_perms;
 allow system_server apex_permission_data_file:dir create_dir_perms;
 allow system_server apex_permission_data_file:file create_file_perms;
 allow system_server apex_scheduling_data_file:dir create_dir_perms;

private/vold_prepare_subdirs.te

diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 1414f6c..956e94e 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -16,6 +16,7 @@
   vendor_data_file
 }:dir { open read write add_name remove_name rmdir relabelfrom };
 allow vold_prepare_subdirs {
+    apex_appsearch_data_file
     apex_art_data_file
     apex_module_data_file
     apex_permission_data_file
@@ -32,6 +33,7 @@
     vold_data_file
 }:dir { create_dir_perms relabelto };
 allow vold_prepare_subdirs {
+    apex_appsearch_data_file
     apex_art_data_file
     apex_art_staging_data_file
     apex_module_data_file

public/file.te

diff --git a/public/file.te b/public/file.te
index 2250482..20348b5 100644
--- a/public/file.te
+++ b/public/file.te
@@ -385,6 +385,7 @@
 
 # /data/misc subdirectories
 type adb_keys_file, file_type, data_file_type, core_data_file_type;
+type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type;
 type apex_module_data_file, file_type, data_file_type, core_data_file_type;
 type apex_ota_reserved_file, file_type, data_file_type, core_data_file_type;
 type apex_permission_data_file, file_type, data_file_type, core_data_file_type;