allow all domain search permission for aconfig_storage_metadata_file dir
Just allow aconfig_storage_metadata_file:file read permission is not
enough to read the pb file, we also need
aconfig_storage_metadata_file:dir search permission.
Bug: b/312459182
Test: audit2allow after having demo app access the file
Change-Id: I1790ea84a56e83f43313af82378f245e2bb6597e
diff --git a/private/domain.te b/private/domain.te
index 0de9d13..ace3fe5 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -815,5 +815,5 @@
neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *;
# Do not allow write access to aconfig flag value files except init and aconfigd
-neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:dir *;
+neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:dir no_w_dir_perms;
neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:file no_w_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 0a2a5e5..dc87c78 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -346,7 +346,8 @@
# The boot copy of the flag value files serves flag read traffic for all processes, thus
# needs to be readable by everybody. Also, the metadata directory will contain pb file
# that records where flag storage files are, so also needs to be readable by everbody.
-allow domain { aconfig_storage_metadata_file }:file r_file_perms;
+allow domain aconfig_storage_metadata_file:file r_file_perms;
+allow domain aconfig_storage_metadata_file:dir r_dir_perms;
###
### neverallow rules