Merge "Allow priv_app to search apex_data_file and read staging_data_file"
diff --git a/private/domain.te b/private/domain.te
index 433a791..5bbb8d4 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -211,7 +211,7 @@
# do not change between system_server staging the files and apexd processing
# the files.
neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename } staging_data_file:dir *;
-neverallow { domain -init -system_app -system_server -apexd -kernel -installd -iorap_inode2filename } staging_data_file:file *;
+neverallow { domain -init -system_app -system_server -apexd -kernel -installd -iorap_inode2filename -priv_app } staging_data_file:file *;
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
# except for `link` and `unlink`.
diff --git a/private/priv_app.te b/private/priv_app.te
index 2325716..7794ee8 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -153,6 +153,10 @@
# on the Incremental File System.
allowxperm priv_app incremental_control_file:file ioctl INCFS_IOCTL_PERMIT_FILL;
+# Required for Phonesky to be able to read APEX files under /data/apex/active/.
+allow priv_app apex_data_file:dir search;
+allow priv_app staging_data_file:file r_file_perms;
+
###
### neverallow rules
###