Merge "selinux: Allow system_server to access files in iorapd dir." into rvc-dev
diff --git a/prebuilts/api/30.0/public/iorapd.te b/prebuilts/api/30.0/public/iorapd.te
index 3bf8cbd..b970699 100644
--- a/prebuilts/api/30.0/public/iorapd.te
+++ b/prebuilts/api/30.0/public/iorapd.te
@@ -46,6 +46,12 @@
allow iorapd iorap_inode2filename:process signull;
allow iorapd iorap_prefetcherd:process signull;
+# Allowing system_server to check for the existence and size of files under iorapd
+# dir without collecting any sensitive app data.
+# This is used to predict if iorapd is doing prefetching or not.
+allow system_server iorapd_data_file:dir { getattr open read search };
+allow system_server iorapd_data_file:file getattr;
+
###
### neverallow rules
###
@@ -59,6 +65,7 @@
domain
-init
-iorapd
+ -system_server
} iorapd_data_file:dir *;
neverallow {
@@ -73,6 +80,7 @@
-kernel
-vendor_init
-iorapd
+ -system_server
} { iorapd_data_file }:notdevfile_class_set *;
# Only system_server and shell (for dumpsys) can interact with iorapd over binder
diff --git a/public/iorapd.te b/public/iorapd.te
index 3bf8cbd..b970699 100644
--- a/public/iorapd.te
+++ b/public/iorapd.te
@@ -46,6 +46,12 @@
allow iorapd iorap_inode2filename:process signull;
allow iorapd iorap_prefetcherd:process signull;
+# Allowing system_server to check for the existence and size of files under iorapd
+# dir without collecting any sensitive app data.
+# This is used to predict if iorapd is doing prefetching or not.
+allow system_server iorapd_data_file:dir { getattr open read search };
+allow system_server iorapd_data_file:file getattr;
+
###
### neverallow rules
###
@@ -59,6 +65,7 @@
domain
-init
-iorapd
+ -system_server
} iorapd_data_file:dir *;
neverallow {
@@ -73,6 +80,7 @@
-kernel
-vendor_init
-iorapd
+ -system_server
} { iorapd_data_file }:notdevfile_class_set *;
# Only system_server and shell (for dumpsys) can interact with iorapd over binder