Merge "Neverallow vendor code access to files on /system."

commit: a813114831c5d35b0e35d6e0827dcec424dd13ee [log] [tgz]
author: Tri Vo <trong@google.com> Thu Oct 18 15:37:45 2018 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Oct 18 15:37:45 2018 +0000
tree: 70fc793ab49b542755f103b63dc02d400b7b3396
parent: ecc09871bae469fe8e57f395f8627e391fd6f9a9 [diff]
parent: c855629ebd42e4aba64dea0a8a95fc5c465b911e [diff]
diff --git a/private/apexd.te b/private/apexd.te
index adf6c97..32efb98 100644
--- a/private/apexd.te
+++ b/private/apexd.te

@@ -3,7 +3,7 @@
 init_daemon_domain(apexd)
 
 # Read /system/etc/security/apex_debug_key
-allow apexd apex_key_file:dir search;
+allow apexd apex_key_file:dir { search getattr };
 allow apexd apex_key_file:file r_file_perms;
 
 # Allow reading and writing of APEX files in the APEX data dir

diff --git a/public/mediaserver.te b/public/mediaserver.te
index 6a7b0c7..540c039 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te

@@ -92,7 +92,7 @@
 allow mediaserver oemfs:file r_file_perms;
 
 # /vendor apk access
-allow mediaserver vendor_app_file:file { read map };
+allow mediaserver vendor_app_file:file { read map getattr };
 
 use_drmservice(mediaserver)
 allow mediaserver drmserver:drmservice {
commit	a813114831c5d35b0e35d6e0827dcec424dd13ee	[log] [tgz]
author	Tri Vo <trong@google.com>	Thu Oct 18 15:37:45 2018 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Thu Oct 18 15:37:45 2018 +0000
tree	70fc793ab49b542755f103b63dc02d400b7b3396
parent	ecc09871bae469fe8e57f395f8627e391fd6f9a9 [diff]
parent	c855629ebd42e4aba64dea0a8a95fc5c465b911e [diff]