Allow anyone to read aconfig test mission file
This marker file is read in aconfig codegen-d flag APIs, which the
entire operating system uses, so it needs to be readable by everyone.
Test: m
Bug: 349597124
Change-Id: I296f0ccb605c251656957b3f6f0f97edbc29a44a
diff --git a/private/domain.te b/private/domain.te
index 61e2ea6..67ff430 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -570,13 +570,15 @@
-hal_omx_server
} {shell_exec toolbox_exec}:file rx_file_perms;
-# Allow all to read from flag value boot snapshot storage files and general pb files
-# The boot snapshot of storage files serves flag read traffic for all processes, thus
-# needs to be readable by everybody.
-r_dir_file(domain, aconfig_storage_metadata_file);
+# Allow all processes to read aconfig flag storage files. The format is hidden behind
+# code-generated APIs, but since the libraries are executed in the context of the caller,
+# all processes need access to the underlying files.
+is_flag_enabled(RELEASE_READ_FROM_NEW_STORAGE, `
+ r_dir_file(domain, aconfig_storage_metadata_file);
+ r_dir_file(domain, aconfig_test_mission_files);
+')
r_dir_file({ coredomain appdomain }, system_aconfig_storage_file);
-r_dir_file({ coredomain appdomain }, aconfig_test_mission_files);
# processes needs to access storage file stored at /metadata/aconfig/boot, require search
# permission on /metadata dir
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 38ea999..20341e4 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -33,6 +33,9 @@
allow dumpstate dropbox_data_file:file r_file_perms;
')
+r_dir_file(dumpstate, aconfig_storage_metadata_file);
+r_dir_file(dumpstate, aconfig_test_mission_files);
+
# Allow dumpstate to make binder calls to incidentd
binder_call(dumpstate, incidentd)