Allow adbd to pull apexes from /data/apex/active
Test: adb pull /data/apex/active/com.android.apex.cts.shim@v2.apex
Bug: 184886365
Change-Id: Ibaac390a99e65a8b388d3c62761d96ec8f8e0846
diff --git a/private/adbd.te b/private/adbd.te
index f569ad2..3fc77a2 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -209,6 +209,10 @@
allow adbd vendor_apex_file:dir search;
allow adbd vendor_apex_file:file r_file_perms;
+# Allow adb pull of updated apex files in /data/apex/active.
+allow adbd apex_data_file:dir search;
+allow adbd staging_data_file:file r_file_perms;
+
###
### Neverallow rules
###
diff --git a/private/domain.te b/private/domain.te
index d5c9193..87518a7 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -201,7 +201,7 @@
# do not change between system_server staging the files and apexd processing
# the files.
neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename -priv_app } staging_data_file:dir *;
-neverallow { domain -init -system_app -system_server -apexd -kernel -installd -iorap_inode2filename -priv_app } staging_data_file:file *;
+neverallow { domain -init -system_app -system_server -apexd -adbd -kernel -installd -iorap_inode2filename -priv_app } staging_data_file:file *;
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
# except for `link` and `unlink`.