Allow vendor_overlay_file from vendor apex Path to vendor overlays should be accessible to those processes with access to vendor_overlay_file. This is okay when overlays are under /vendor/overlay because vendor_file:dir is accessible from all domains. However, when a vendor overlay file is served from a vendor apex, then the mount point of the apex should be allowed explicitly for 'getattr' and 'search'. Bug: 285075529 Test: presubmit tests Change-Id: I393abc76ab7169b65fdee5aefd6da5ed1c6b8586

commit: 7c4f8a87d30b9e95f72bb4a9891c24b6ad276cb2 [log] [tgz]
author: Jooyung Han <jooyung@google.com> Fri Jun 09 13:26:54 2023 +0900
committer: Jooyung Han <jooyung@google.com> Fri Jun 09 13:43:11 2023 +0900
tree: 8f7e6c1d9db5cbdb1eef98dc4f64d6bfb2c8059e
parent: 9f254ba3685cacfc44e639537800f7b93cf36230 [diff] [blame]
diff --git a/private/artd.te b/private/artd.te
index ef54d8c..5fcd43a 100644
--- a/private/artd.te
+++ b/private/artd.te

@@ -39,9 +39,11 @@
 # Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
 r_dir_file(artd, vendor_app_file)
 
-# Read access to vendor overlay APKs ({/vendor,/odm,/oem}/overlay/...).
+# Read access to vendor overlay APKs ({/vendor,/odm,/oem,/apex/*}/overlay/...).
 allow artd oemfs:dir { getattr search };
 r_dir_file(artd, vendor_overlay_file)
+# Vendor overlay can be found in vendor apex
+allow artd vendor_apex_metadata_file:dir { getattr search };
 
 # Read access to vendor shared libraries ({/vendor,/odm}/framework/...).
 r_dir_file(artd, vendor_framework_file)
commit	7c4f8a87d30b9e95f72bb4a9891c24b6ad276cb2	[log] [tgz]
author	Jooyung Han <jooyung@google.com>	Fri Jun 09 13:26:54 2023 +0900
committer	Jooyung Han <jooyung@google.com>	Fri Jun 09 13:43:11 2023 +0900
tree	8f7e6c1d9db5cbdb1eef98dc4f64d6bfb2c8059e
parent	9f254ba3685cacfc44e639537800f7b93cf36230 [diff] [blame]