Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 9a5b2f5e3b72f9dc260b9cfacb14df9b05e41d91^! / .
commit9a5b2f5e3b72f9dc260b9cfacb14df9b05e41d91[log] [tgz]
authorDennis Shen <dzshen@google.com>Wed Mar 20 16:29:20 2024 +0000
committerDennis Shen <dzshen@google.com>Thu Mar 21 01:50:06 2024 +0000
tree1f334adff9f1d8b04765e330d04aebffe396f3f6
parentcd560f115b28244b3163a2ba98e8f790ab012d26 [diff]
allow domain search for /metadata dir

While testing aconfig storage file read by a demo app. We discovered
the need to do metadata_file:dir search in logcat log.

Bug: b/312459182
Test: demo app start
Change-Id: I0872ff192280228cc2270ae4a04755bc5cfbd9cc

diff --git a/private/domain.te b/private/domain.te
index ace3fe5..aa0a5bb 100644
--- a/private/domain.te
+++ b/private/domain.te

@@ -208,6 +208,17 @@
   -hal_omx_server
 } {shell_exec toolbox_exec}:file rx_file_perms;
 
+# Allow everyone to read from flag value boot snapshot files and general pb files
+# The boot copy of the flag value files serves flag read traffic for all processes, thus
+# needs to be readable by everybody. Also, the metadata directory will contain pb file
+# that records where flag storage files are, so also needs to be readable by everbody.
+allow domain aconfig_storage_metadata_file:file r_file_perms;
+allow domain aconfig_storage_metadata_file:dir r_dir_perms;
+
+# processes needs to access storage file stored at /metadata/aconfig/boot, require search
+# permission on /metadata dir
+allow domain metadata_file:dir search;
+
 # No domains other than a select few can access the misc_block_device. This
 # block device is reserved for OTA use.
 # Do not assert this rule on userdebug/eng builds, due to some devices using
@@ -817,3 +828,4 @@
 # Do not allow write access to aconfig flag value files except init and aconfigd
 neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:dir no_w_dir_perms;
 neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:file no_w_file_perms;
+

diff --git a/public/domain.te b/public/domain.te
index dc87c78..a8fdc9b 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -342,13 +342,6 @@
 # configured using server-configurable flags
 get_prop(domain, device_config_media_native_prop)
 
-# Allow everyone to read from flag value boot snapshot files and general pb files
-# The boot copy of the flag value files serves flag read traffic for all processes, thus
-# needs to be readable by everybody. Also, the metadata directory will contain pb file
-# that records where flag storage files are, so also needs to be readable by everbody.
-allow domain aconfig_storage_metadata_file:file r_file_perms;
-allow domain aconfig_storage_metadata_file:dir r_dir_perms;
-
 ###
 ### neverallow rules
 ###