Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 38b57bcc47ab38df3902fdb7cc03efa2c921bae3^! / . / private
commit38b57bcc47ab38df3902fdb7cc03efa2c921bae3[log] [tgz]
authorWilliam Loh <wloh@google.com>Wed Apr 24 22:31:06 2024 +0000
committerWilliam Loh <wloh@google.com>Thu Apr 25 04:06:45 2024 +0000
treecc227f29b5c3e9deceabb25051146ff115f7132e
parent81bf7bd5a7a52098ed144211120166b793a0c36f [diff]
Add policy for /data/app-metadata

Bug: 336618214
Test: manual
Change-Id: If2da435f6622c6bc28a867c9a70e8efafe6524b0

diff --git a/private/file.te b/private/file.te
index b96e18b..7b2507c 100644
--- a/private/file.te
+++ b/private/file.te

@@ -168,6 +168,9 @@
 # This type is set on the directory through the `rootcontext=` mount option.
 type pre_reboot_dexopt_artd_file, file_type;
 
+# /data/app-metadata - extracted app metadata bundles from APKs
+type apk_metadata_file, file_type, data_file_type, core_data_file_type;
+
 # Allow files to be created in their appropriate filesystems.
 allow fs_type self:filesystem associate;
 allow cgroup tmpfs:filesystem associate;

diff --git a/private/file_contexts b/private/file_contexts
index b209109..3f5c9ef 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -583,6 +583,7 @@
 /data/apex/decompressed/(.*)?    u:object_r:staging_data_file:s0
 /data/apex/ota_reserved(/.*)?       u:object_r:apex_ota_reserved_file:s0
 /data/app(/.*)?                       u:object_r:apk_data_file:s0
+/data/app-metadata(/.*)?              u:object_r:apk_metadata_file:s0
 # Traditional /data/app/[packageName]-[randomString]/base.apk location
 /data/app/[^/]+/oat(/.*)?                u:object_r:dalvikcache_data_file:s0
 # /data/app/[randomStringA]/[packageName]-[randomStringB]/base.apk layout

diff --git a/private/system_server.te b/private/system_server.te
index 5c210c3..e129fa8 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -518,6 +518,10 @@
 allow system_server apk_tmp_file:dir create_dir_perms;
 allow system_server apk_tmp_file:file create_file_perms;
 
+# Manage /data/app-metadata
+allow system_server apk_metadata_file:dir create_dir_perms;
+allow system_server apk_metadata_file:file create_file_perms;
+
 # Access input configuration files in the /vendor directory
 r_dir_file(system_server, vendor_keylayout_file)
 r_dir_file(system_server, vendor_keychars_file)