Allow gmscore_app to write to /data/ota_package for OTA packages
This also adds an auditallow to the same rule for priv_app, so we can
delete it once no logs show up in go/sedenials for this rule
triggerring.
Bug: 142672293
Test: TH
Change-Id: I57f887e96d721ca69a7228df0a75515596776778
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index a5555ac..372be7f 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -113,3 +113,8 @@
# running "adb install foo.apk".
allow gmscore_app shell_data_file:file r_file_perms;
allow gmscore_app shell_data_file:dir r_dir_perms;
+
+# Write to /data/ota_package for OTA packages.
+allow gmscore_app ota_package_file:dir rw_dir_perms;
+allow gmscore_app ota_package_file:file create_file_perms;
+
diff --git a/private/priv_app.te b/private/priv_app.te
index 3b78e4a..11c9983 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -67,6 +67,11 @@
# Write to /data/ota_package for OTA packages.
allow priv_app ota_package_file:dir rw_dir_perms;
allow priv_app ota_package_file:file create_file_perms;
+# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+ auditallow priv_app ota_package_file:dir rw_dir_perms;
+ auditallow priv_app ota_package_file:file create_file_perms;
+')
# Access to /data/media.
allow priv_app media_rw_data_file:dir create_dir_perms;