Merge "Allow the kernel to read staging_data_file."
am: 938d0c2bf6
Change-Id: I66fbc471ad5e508de0b8fde2d1ab3cb6fe1646a8
diff --git a/private/domain.te b/private/domain.te
index bc1defb..e33a9cd 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -143,7 +143,7 @@
# do not change between system_server staging the files and apexd processing
# the files.
neverallow { domain -init -system_server -apexd } staging_data_file:dir *;
-neverallow { domain -init -system_server -apexd } staging_data_file:file *;
+neverallow { domain -init -system_server -apexd -kernel } staging_data_file:file *;
neverallow { domain -init -system_server } staging_data_file:dir no_w_dir_perms;
# apexd needs the link permission, so list every `no_w_file_perms` except for `link`.
neverallow { domain -init -system_server } staging_data_file:file
diff --git a/public/kernel.te b/public/kernel.te
index d3a6079..50e72c2 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -81,11 +81,12 @@
# Access to /data/misc/vold/virtual_disk.
allow kernel vold_data_file:file { read write };
-# Allow the kernel to read APEX file descriptors and data files;
+# Allow the kernel to read APEX file descriptors and (staged) data files;
# Needed because APEX uses the loopback driver, which issues requests from
# a kernel thread in earlier kernel version.
allow kernel apexd:fd use;
allow kernel apex_data_file:file read;
+allow kernel staging_data_file:file read;
# Allow the first-stage init (which is running in the kernel domain) to execute the
# dynamic linker when it re-executes /init to switch into the second stage.