commit b382f02bf452ed509bb201b7d16745e76c7409a9
author Yurii Zubrytskyi <zyy@google.com> Wed Apr 21 13:58:24 2021 -0700
committer Yurii Zubrytskyi <zyy@google.com> Wed Apr 21 15:15:40 2021 -0700
tree bcdf08b334a1f23a9e545bffa3dacef8d4399daa
parent 5bbeaa39d8f5df4ce224216fee9ca6e31a3d2589

[incfs] Allow everyone read the IncFS sysfs features

Every process needs to be able to determine the IncFS features
to choose the most efficient APIs to call

Bug: 184357957
Test: build + atest PackageManagerShellCommandTest
Change-Id: Ia84e3fecfd7be1209af076452cc27cc68aefd80d

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index 87518a7..9e2e033 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -49,6 +49,9 @@
   -zygote
 })')
 
+# Everyone can access the IncFS list of features.
+r_dir_file(domain, sysfs_fs_incfs_features);
+
 # Path resolution access in cgroups.
 allow domain cgroup:dir search;
 allow { domain -appdomain -rs } cgroup:dir w_dir_perms;

private/isolated_app.te

diff --git a/private/isolated_app.te b/private/isolated_app.te
index 94d60f0..71749c0 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -128,6 +128,7 @@
   -sysfs_devices_system_cpu
   -sysfs_transparent_hugepage
   -sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
+  -sysfs_fs_incfs_features
 }:file no_rw_file_perms;
 
 # No creation of sockets families other than AF_UNIX sockets.

private/priv_app.te

diff --git a/private/priv_app.te b/private/priv_app.te
index 4fd86e5..63a9cbf 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -161,9 +161,6 @@
 allow priv_app system_server:udp_socket {
         connect getattr read recvfrom sendto write getopt setopt };
 
-# Access the IncFS list of features
-r_dir_file(priv_app, sysfs_fs_incfs_features)
-
 # allow apps like Phonesky to check the file signature of an apk installed on
 # the Incremental File System, fill missing blocks and get the app status and loading progress
 allowxperm priv_app apk_data_file:file ioctl {

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 084ea22..729f835 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -26,9 +26,6 @@
 # For Incremental Service to check if incfs is available
 allow system_server proc_filesystems:file r_file_perms;
 
-# Access the IncFS list of features
-r_dir_file(system_server, sysfs_fs_incfs_features);
-
 # To create files, get permission to fill blocks, and configure Incremental File System
 allow system_server incremental_control_file:file { ioctl r_file_perms };
 allowxperm system_server incremental_control_file:file ioctl {