commit 342362ae3e1afa577a73dc7f154a9de7da96edc4
author Benjamin Gordon <bmgordon@google.com> Thu Sep 06 16:19:40 2018 -0600
committer Benjamin Gordon <bmgordon@google.com> Wed Sep 19 15:54:37 2018 -0600
tree 42542e8ffd6aefdf3d3e0b5728359840b84cdd93
parent 51dc7cb1d411215a7361feebfeaf1f976ce6cf30

sepolicy: grant dac_read_search to domains with dac_override

kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order
of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of
dac_override and dac_read_search checks.  Domains that have dac_override
will now generate spurious denials for dac_read_search unless they also
have that permission.  Since dac_override is a strict superset of
dac_read_search, grant dac_read_search to all domains that already have
dac_override to get rid of the denials.

Bug: 114280985
Bug: crbug.com/877588
Test: Booted on a device running 4.14.
Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4

public/install_recovery.te

diff --git a/public/install_recovery.te b/public/install_recovery.te
index ab68838..24819c2 100644
--- a/public/install_recovery.te
+++ b/public/install_recovery.te
@@ -2,7 +2,7 @@
 type install_recovery, domain;
 type install_recovery_exec, exec_type, file_type;
 
-allow install_recovery self:global_capability_class_set dac_override;
+allow install_recovery self:global_capability_class_set { dac_override dac_read_search };
 
 # /system/bin/install-recovery.sh is a shell script.
 # Needs to execute /system/bin/sh