sepolicy: grant dac_read_search to domains with dac_override kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of dac_override and dac_read_search checks. Domains that have dac_override will now generate spurious denials for dac_read_search unless they also have that permission. Since dac_override is a strict superset of dac_read_search, grant dac_read_search to all domains that already have dac_override to get rid of the denials. Bug: 114280985 Bug: crbug.com/877588 Test: Booted on a device running 4.14. Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4

commit: 342362ae3e1afa577a73dc7f154a9de7da96edc4 [log] [tgz]
author: Benjamin Gordon <bmgordon@google.com> Thu Sep 06 16:19:40 2018 -0600
committer: Benjamin Gordon <bmgordon@google.com> Wed Sep 19 15:54:37 2018 -0600
tree: 42542e8ffd6aefdf3d3e0b5728359840b84cdd93
parent: 51dc7cb1d411215a7361feebfeaf1f976ce6cf30 [diff] [blame]
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 0a11558..0d062e9 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te

@@ -7,7 +7,7 @@
 allow vold_prepare_subdirs vold:fd use;
 allow vold_prepare_subdirs vold:fifo_file { read write };
 allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
-allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override fowner };
+allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
 allow vold_prepare_subdirs self:process setfscreate;
 allow vold_prepare_subdirs {
   system_data_file
commit	342362ae3e1afa577a73dc7f154a9de7da96edc4	[log] [tgz]
author	Benjamin Gordon <bmgordon@google.com>	Thu Sep 06 16:19:40 2018 -0600
committer	Benjamin Gordon <bmgordon@google.com>	Wed Sep 19 15:54:37 2018 -0600
tree	42542e8ffd6aefdf3d3e0b5728359840b84cdd93
parent	51dc7cb1d411215a7361feebfeaf1f976ce6cf30 [diff] [blame]