commit 5f7fc5fd4128b7b46c69b75374fe2bb40f7d5992
author Narayan Kamath <narayan@google.com> Tue Jan 08 04:16:50 2019 -0800
committer android-build-merger <android-build-merger@google.com> Tue Jan 08 04:16:50 2019 -0800
tree cd60d0d252f4bdf1bba3c1be8b7edfba428f5b58
parent 783eee99ddfa249e090e4e8a6d5d480b477ee5be
parent 801e32ecc2d2992d23e180f64da989af8c3ab6da

Allow system_server to read apex_data_file. am: 9f343b32be
am: 801e32ecc2

Change-Id: I2786c8fdb5a77768faa78be835da314122ac692a

private/apexd.te

diff --git a/private/apexd.te b/private/apexd.te
index bed8953..4850d61 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -68,5 +68,5 @@
 dontaudit apexd self:global_capability_class_set { dac_override dac_read_search };
 
 neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
-neverallow { domain -apexd -init -kernel } apex_data_file:file no_rw_file_perms;
+neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
 neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index f3d2ffd..4581417 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -963,6 +963,13 @@
 allow system_server apex_service:service_manager find;
 allow system_server apexd:binder call;
 
+# Allow the system server to read files under /data/apex. The system_server
+# needs these privileges to compare file signatures while processing installs.
+#
+# Only apexd is allowed to create new entries or write to any file under /data/apex.
+allow system_server apex_data_file:dir search;
+allow system_server apex_data_file:file r_file_perms;
+
 # dexoptanalyzer is currently used only for secondary dex files which
 # system_server should never access.
 neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;