commit 662d5e68f1c464516d22831c9f139cd0a2807cd9
author Dennis Shen <dzshen@google.com> Tue Mar 12 16:50:22 2024 +0000
committer Dennis Shen <dzshen@google.com> Tue Mar 12 17:43:51 2024 +0000
tree 91b55910e845fc5c952ccb58f2ef838785975b8c
parent efcc8dbdd7cd3935152f30d0c9e9b6890fe38f58

allow system server to search into /metadata/aconfig dir

Bug: b/312459182
Test: m
Change-Id: I44a2113b53b23a47d30460d0e7120bbeceb3ecbf

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index 4692eda..8dd8c89 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -813,5 +813,5 @@
 neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *;
 
 # Do not allow write access to aconfig flag value files except init and aconfigd
-neverallow { domain -init -aconfigd } aconfig_storage_metadata_file:dir *;
-neverallow { domain -init -aconfigd } aconfig_storage_metadata_file:file no_w_file_perms;
+neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:dir *;
+neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:file no_w_file_perms;

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 886499e..c2c30ae 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1470,6 +1470,7 @@
 
 allow system_server aconfig_storage_flags_metadata_file:dir rw_dir_perms;
 allow system_server aconfig_storage_flags_metadata_file:file create_file_perms;
+allow system_server aconfig_storage_metadata_file:dir search;
 
 allow system_server repair_mode_metadata_file:dir rw_dir_perms;
 allow system_server repair_mode_metadata_file:file create_file_perms;