sepolicy: restrict /vendor/overlay from most coredomains The change makes 'vendor_overlay_file' accessible only to few platform domains like idmap, system_server, zygote and appdomain. The overlay files contains RROs (runtime resource overlays) Bug: 36681210 Test: Boot sailfish (treble device) from wiped flashall Test: Connect to wifi and launch chrome to load few websites. Test: Launch camera and record + playback video Change-Id: I3596ca89ad51d0e7d78c75121f22ea71209ee332 Signed-off-by: Sandeep Patil <sspatil@google.com>

commit: 9075699a28fe0f369427e0c7c07a1034e804ff41 [log] [tgz]
author: Sandeep Patil <sspatil@google.com> Wed Apr 05 16:16:13 2017 -0700
committer: Sandeep Patil <sspatil@google.com> Thu Apr 06 13:28:16 2017 -0700
tree: 17fc4901d2fb08b33e2ec5c29bbe103e63ca0f9f
parent: 1b5f81a2d2fd0a09de75b416c3e995c4b9728192 [diff] [blame]
diff --git a/private/system_server.te b/private/system_server.te
index 4302343..90e8b10 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -297,6 +297,9 @@
 # Access /vendor/app
 r_dir_file(system_server, vendor_app_file)
 
+# Access /vendor/app
+r_dir_file(system_server, vendor_overlay_file)
+
 # Manage /data/app-private.
 allow system_server apk_private_data_file:dir create_dir_perms;
 allow system_server apk_private_data_file:file create_file_perms;
commit	9075699a28fe0f369427e0c7c07a1034e804ff41	[log] [tgz]
author	Sandeep Patil <sspatil@google.com>	Wed Apr 05 16:16:13 2017 -0700
committer	Sandeep Patil <sspatil@google.com>	Thu Apr 06 13:28:16 2017 -0700
tree	17fc4901d2fb08b33e2ec5c29bbe103e63ca0f9f
parent	1b5f81a2d2fd0a09de75b416c3e995c4b9728192 [diff] [blame]