[incfs] Allow everyone read the IncFS sysfs features
Every process needs to be able to determine the IncFS features
to choose the most efficient APIs to call
Bug: 184357957
Test: build + atest PackageManagerShellCommandTest
Change-Id: Ia84e3fecfd7be1209af076452cc27cc68aefd80d
diff --git a/private/domain.te b/private/domain.te
index 87518a7..9e2e033 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -49,6 +49,9 @@
-zygote
})')
+# Everyone can access the IncFS list of features.
+r_dir_file(domain, sysfs_fs_incfs_features);
+
# Path resolution access in cgroups.
allow domain cgroup:dir search;
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 94d60f0..71749c0 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -128,6 +128,7 @@
-sysfs_devices_system_cpu
-sysfs_transparent_hugepage
-sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
+ -sysfs_fs_incfs_features
}:file no_rw_file_perms;
# No creation of sockets families other than AF_UNIX sockets.
diff --git a/private/priv_app.te b/private/priv_app.te
index 4fd86e5..63a9cbf 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -161,9 +161,6 @@
allow priv_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
-# Access the IncFS list of features
-r_dir_file(priv_app, sysfs_fs_incfs_features)
-
# allow apps like Phonesky to check the file signature of an apk installed on
# the Incremental File System, fill missing blocks and get the app status and loading progress
allowxperm priv_app apk_data_file:file ioctl {
diff --git a/private/system_server.te b/private/system_server.te
index 084ea22..729f835 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -26,9 +26,6 @@
# For Incremental Service to check if incfs is available
allow system_server proc_filesystems:file r_file_perms;
-# Access the IncFS list of features
-r_dir_file(system_server, sysfs_fs_incfs_features);
-
# To create files, get permission to fill blocks, and configure Incremental File System
allow system_server incremental_control_file:file { ioctl r_file_perms };
allowxperm system_server incremental_control_file:file ioctl {
diff --git a/public/vold.te b/public/vold.te
index 17c71b5..7796ba8 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -127,8 +127,6 @@
allow vold apk_data_file:dir { create getattr setattr };
allow vold shell_data_file:dir { create getattr setattr };
-# Access the IncFS list of features
-r_dir_file(vold, sysfs_fs_incfs_features);
# Allow to mount incremental file system on /data/incremental and create files
allow vold apk_data_file:dir { mounton rw_dir_perms };
# Allow to create and write files in /data/incremental