Allow shell to read updated APEXes This is useful for certain tests. Note that it is already possible to access these files without root via adb pull, since adbd has access. Shell also already has access to non-updated APEXes on /system/apex. Bug: 220918654 Test: adb unroot; pm install --apex /data/apex/decompressed/X.decompressed.apex Change-Id: I35725499365b297a64c9005c8e45325531d3991d

commit: 5490752cfc40593fc7e36ca0bbe8122b6d1371e8 [log] [tgz]
author: Alan Stokes <alanstokes@google.com> Fri Feb 25 11:59:25 2022 +0000
committer: Alan Stokes <alanstokes@google.com> Fri Feb 25 12:16:14 2022 +0000
tree: c31a7fd9d99d8a08868221ab828b02fa0c9020f8
parent: a4e2f0ce01c405eefa72481bad7032cf064242d0 [diff]
diff --git a/private/domain.te b/private/domain.te
index 988bd56..acf5f55 100644
--- a/private/domain.te
+++ b/private/domain.te

@@ -245,6 +245,7 @@
   -installd
   -iorap_inode2filename
   -priv_app
+  -shell
   -virtualizationservice
   -crosvm
 } staging_data_file:file *;

diff --git a/private/shell.te b/private/shell.te
index 63746f6..32819ac 100644
--- a/private/shell.te
+++ b/private/shell.te

@@ -130,6 +130,10 @@
 allow shell vendor_apex_file:file r_file_perms;
 allow shell vendor_apex_file:dir r_dir_perms;
 
+# Allow shell to read updated APEXes under /data/apex
+allow shell apex_data_file:dir search;
+allow shell staging_data_file:file r_file_perms;
+
 # Set properties.
 set_prop(shell, shell_prop)
 set_prop(shell, ctl_bugreport_prop)
commit	5490752cfc40593fc7e36ca0bbe8122b6d1371e8	[log] [tgz]
author	Alan Stokes <alanstokes@google.com>	Fri Feb 25 11:59:25 2022 +0000
committer	Alan Stokes <alanstokes@google.com>	Fri Feb 25 12:16:14 2022 +0000
tree	c31a7fd9d99d8a08868221ab828b02fa0c9020f8
parent	a4e2f0ce01c405eefa72481bad7032cf064242d0 [diff]