Merge "Allow access to /proc/config.gz for priv_app and recovery" into oc-dev am: 456fa27918 am: 7f0c18b44f Change-Id: Ib764462e117579339bda41a6915b7216ffc0d947

commit: 9811a5049bdf1bb0873de40cdfe9dad88675b084 [log] [tgz]
author: Sandeep Patil <sspatil@google.com> Thu Apr 20 13:02:25 2017 +0000
committer: android-build-merger <android-build-merger@google.com> Thu Apr 20 13:02:25 2017 +0000
tree: 0eff542117c564d7ad51e18acfebac50ceefd82e
parent: 514b13c40b948c5e2b63c430df9c59f21769b3ee [diff]
parent: 7f0c18b44f2ddcb48d04aedea57181d2601ecda2 [diff]
diff --git a/private/priv_app.te b/private/priv_app.te
index 02682a1..109c869 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te

@@ -82,6 +82,9 @@
 r_dir_file(priv_app, proc)
 r_dir_file(priv_app, rootfs)
 
+# Allow GMS core to open kernel config for OTA matching through libvintf
+allow priv_app config_gz:file { open read getattr };
+
 # access the mac address
 allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
 

diff --git a/public/recovery.te b/public/recovery.te
index 886f4fd..f0ac97d 100644
--- a/public/recovery.te
+++ b/public/recovery.te

@@ -51,6 +51,9 @@
   # Write to /proc/sys/vm/drop_caches
   allow recovery proc_drop_caches:file w_file_perms;
 
+  # Read kernel config through libvintf for OTA matching
+  allow recovery config_gz:file { open read getattr };
+
   # Write to /sys/class/android_usb/android0/enable.
   # TODO: create more specific label?
   allow recovery sysfs:file w_file_perms;
commit	9811a5049bdf1bb0873de40cdfe9dad88675b084	[log] [tgz]
author	Sandeep Patil <sspatil@google.com>	Thu Apr 20 13:02:25 2017 +0000
committer	android-build-merger <android-build-merger@google.com>	Thu Apr 20 13:02:25 2017 +0000
tree	0eff542117c564d7ad51e18acfebac50ceefd82e
parent	514b13c40b948c5e2b63c430df9c59f21769b3ee [diff]
parent	7f0c18b44f2ddcb48d04aedea57181d2601ecda2 [diff]