Add permissions back to app / shell domains
Allow directory reads to allow tab completion in rootfs to work.
"pm" is crashing due to failure to access /data/dalvik-cache. Add
back in the permissions from domain_deprecated.
Allow /sdcard to work again.
Bug: 25954400
Change-Id: I48cfa92fabfa47ed3007a63b85284659ba94ea73
diff --git a/app.te b/app.te
index 78da5b7..bc42465 100644
--- a/app.te
+++ b/app.te
@@ -29,6 +29,16 @@
allow appdomain cgroup:dir { search write };
allow appdomain cgroup:file w_file_perms;
+# Read /data/dalvik-cache.
+allow appdomain dalvikcache_data_file:dir { search getattr };
+allow appdomain dalvikcache_data_file:file r_file_perms;
+
+# Read the /sdcard symlink
+allow appdomain rootfs:lnk_file r_file_perms;
+
+# Search /storage/emulated tmpfs mount.
+allow appdomain tmpfs:dir r_dir_perms;
+
userdebug_or_eng(`
# Notify zygote of the wrapped process PID when using --invoke-with.
allow appdomain zygote:fifo_file write;
diff --git a/shell.te b/shell.te
index 2a3faec..a02fbd0 100644
--- a/shell.te
+++ b/shell.te
@@ -25,6 +25,9 @@
allow shell adbd:fd use;
allow shell adbd:unix_stream_socket { read write ioctl getattr };
+# Root fs.
+allow shell rootfs:dir r_dir_perms;
+
# read files in /data/anr
allow shell anr_data_file:dir r_dir_perms;
allow shell anr_data_file:file r_file_perms;