Merge "Allow system server to read /vendor/apex."

commit: aaebc33e4027bfd62c8ca090f682f22868ec1507 [log] [tgz]
author: Dario Freni <dariofreni@google.com> Wed Oct 16 14:17:06 2019 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Oct 16 14:17:06 2019 +0000
tree: b5e64310af9f816fb0d6c334404631576034dd4a
parent: b4d7815fe4c7aa148879fbc09585585f560b12fd [diff]
parent: 4d3e9e7571227824354c182308b8cbf7316bae10 [diff]
diff --git a/private/system_server.te b/private/system_server.te
index 3d663b7..497028a 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -1007,6 +1007,12 @@
 allow system_server apex_data_file:dir { getattr search };
 allow system_server apex_data_file:file r_file_perms;
 
+# Allow the system server to read files under /vendor/apex. This is where
+# vendor APEX packages might be installed and system_server needs to parse
+# these packages to inspect the signatures and other metadata.
+allow system_server vendor_apex_file:dir { getattr search };
+allow system_server vendor_apex_file:file r_file_perms;
+
 # Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
 # communicate which slots are available for use.
 allow system_server metadata_file:dir search;
commit	aaebc33e4027bfd62c8ca090f682f22868ec1507	[log] [tgz]
author	Dario Freni <dariofreni@google.com>	Wed Oct 16 14:17:06 2019 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Wed Oct 16 14:17:06 2019 +0000
tree	b5e64310af9f816fb0d6c334404631576034dd4a
parent	b4d7815fe4c7aa148879fbc09585585f560b12fd [diff]
parent	4d3e9e7571227824354c182308b8cbf7316bae10 [diff]