Allow vendor_overlay_file from vendor apex Path to vendor overlays should be accessible to those processes with access to vendor_overlay_file. This is okay when overlays are under /vendor/overlay because vendor_file:dir is accessible from all domains. However, when a vendor overlay file is served from a vendor apex, then the mount point of the apex should be allowed explicitly for 'getattr' and 'search'. Bug: 285075529 Test: presubmit tests Change-Id: I393abc76ab7169b65fdee5aefd6da5ed1c6b8586

commit: 7c4f8a87d30b9e95f72bb4a9891c24b6ad276cb2 [log] [tgz]
author: Jooyung Han <jooyung@google.com> Fri Jun 09 13:26:54 2023 +0900
committer: Jooyung Han <jooyung@google.com> Fri Jun 09 13:43:11 2023 +0900
tree: 8f7e6c1d9db5cbdb1eef98dc4f64d6bfb2c8059e
parent: 9f254ba3685cacfc44e639537800f7b93cf36230 [diff] [blame]
diff --git a/private/rs.te b/private/rs.te
index a9b2edd..906373b 100644
--- a/private/rs.te
+++ b/private/rs.te

@@ -19,6 +19,8 @@
 allow rs vendor_file:dir r_dir_perms;
 r_dir_file(rs, vendor_overlay_file)
 r_dir_file(rs, vendor_app_file)
+# Vendor overlay can be found in vendor apex
+allow rs vendor_apex_metadata_file:dir { getattr search };
 
 # Read contents of app apks
 r_dir_file(rs, apk_data_file)
commit	7c4f8a87d30b9e95f72bb4a9891c24b6ad276cb2	[log] [tgz]
author	Jooyung Han <jooyung@google.com>	Fri Jun 09 13:26:54 2023 +0900
committer	Jooyung Han <jooyung@google.com>	Fri Jun 09 13:43:11 2023 +0900
tree	8f7e6c1d9db5cbdb1eef98dc4f64d6bfb2c8059e
parent	9f254ba3685cacfc44e639537800f7b93cf36230 [diff] [blame]