Sepolicy changes for system_server to use libvintf Test: Boot sailfish with shared system image Bug: 36814984 Change-Id: I2937c20c3b6ca7bf4edab66a74742c48e76c7687

commit: bc3150afd03f7c5e29048215229d9b47414653c6 [log] [tgz]
author: Michael Schwartz <schwartzmi@google.com> Thu May 18 09:59:05 2017 -0700
committer: Michael Schwartz <schwartzmi@google.com> Mon May 22 11:52:32 2017 -0700
tree: 80bde1b05ed884ab509ba2c7d824650b8164ea14
parent: ffb8fb1b94e46dc1725c9083aa9e1f5e53c565d1 [diff] [blame]
diff --git a/private/system_server.te b/private/system_server.te
index 925c82d..0e4ecda 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -86,6 +86,9 @@
 allow system_server self:netlink_socket create_socket_perms_no_ioctl;
 allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
 
+# libvintf reads the kernel config to verify vendor interface compatibility.
+allow system_server config_gz:file { read open };
+
 # Use generic "sockets" where the address family is not known
 # to the kernel. The ioctl permission is specifically omitted here, but may
 # be added to device specific policy along with the ioctl commands to be
commit	bc3150afd03f7c5e29048215229d9b47414653c6	[log] [tgz]
author	Michael Schwartz <schwartzmi@google.com>	Thu May 18 09:59:05 2017 -0700
committer	Michael Schwartz <schwartzmi@google.com>	Mon May 22 11:52:32 2017 -0700
tree	80bde1b05ed884ab509ba2c7d824650b8164ea14
parent	ffb8fb1b94e46dc1725c9083aa9e1f5e53c565d1 [diff] [blame]