Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 7c4f8a87d30b9e95f72bb4a9891c24b6ad276cb2^! / . / private
commit7c4f8a87d30b9e95f72bb4a9891c24b6ad276cb2[log] [tgz]
authorJooyung Han <jooyung@google.com>Fri Jun 09 13:26:54 2023 +0900
committerJooyung Han <jooyung@google.com>Fri Jun 09 13:43:11 2023 +0900
tree8f7e6c1d9db5cbdb1eef98dc4f64d6bfb2c8059e
parent9f254ba3685cacfc44e639537800f7b93cf36230 [diff]
Allow vendor_overlay_file from vendor apex

Path to vendor overlays should be accessible to those processes with
access to vendor_overlay_file. This is okay when overlays are under
/vendor/overlay because vendor_file:dir is accessible from all domains.
However, when a vendor overlay file is served from a vendor apex, then
the mount point of the apex should be allowed explicitly for 'getattr'
and 'search'.

Bug: 285075529
Test: presubmit tests
Change-Id: I393abc76ab7169b65fdee5aefd6da5ed1c6b8586

diff --git a/private/artd.te b/private/artd.te
index ef54d8c..5fcd43a 100644
--- a/private/artd.te
+++ b/private/artd.te

@@ -39,9 +39,11 @@
 # Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
 r_dir_file(artd, vendor_app_file)
 
-# Read access to vendor overlay APKs ({/vendor,/odm,/oem}/overlay/...).
+# Read access to vendor overlay APKs ({/vendor,/odm,/oem,/apex/*}/overlay/...).
 allow artd oemfs:dir { getattr search };
 r_dir_file(artd, vendor_overlay_file)
+# Vendor overlay can be found in vendor apex
+allow artd vendor_apex_metadata_file:dir { getattr search };
 
 # Read access to vendor shared libraries ({/vendor,/odm}/framework/...).
 r_dir_file(artd, vendor_framework_file)

diff --git a/private/dex2oat.te b/private/dex2oat.te
index 23f7444..379e32c 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te

@@ -12,6 +12,8 @@
 allow dex2oat vendor_framework_file:file { getattr open read map };
 # Access /vendor/overlay
 r_dir_file(dex2oat, vendor_overlay_file);
+# Vendor overlay can be found in vendor apex
+allow dex2oat vendor_apex_metadata_file:dir { getattr search };
 
 allow dex2oat tmpfs:file { read getattr map };
 

diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index 2fdc941..cdf403c 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te

@@ -47,6 +47,8 @@
 r_dir_file(postinstall_dexopt, vendor_app_file)
 # Read vendor overlay files (APKs) as input to dex2oat.
 r_dir_file(postinstall_dexopt, vendor_overlay_file)
+# Vendor overlay can be found in vendor apex
+allow postinstall_dexopt vendor_apex_metadata_file:dir { getattr search };
 # Access to app oat directory.
 r_dir_file(postinstall_dexopt, dalvikcache_data_file)
 

diff --git a/private/rs.te b/private/rs.te
index a9b2edd..906373b 100644
--- a/private/rs.te
+++ b/private/rs.te

@@ -19,6 +19,8 @@
 allow rs vendor_file:dir r_dir_perms;
 r_dir_file(rs, vendor_overlay_file)
 r_dir_file(rs, vendor_app_file)
+# Vendor overlay can be found in vendor apex
+allow rs vendor_apex_metadata_file:dir { getattr search };
 
 # Read contents of app apks
 r_dir_file(rs, apk_data_file)