Merge "Add shell_test_data_file for /data/local/tests"

commit: d482ae77d16d4affc5a6a6860c40438262b5e453 [log] [tgz]
author: Treehugger Robot <treehugger-gerrit@google.com> Thu Sep 03 02:26:10 2020 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Sep 03 02:26:10 2020 +0000
tree: f92de3efc7fea6611f3dfc42807aedd58cbb5d3d
parent: 86209626ce71bba5690f31cda2862de76d32bf1f [diff]
parent: da4e51b71f77a98dbf2a34cc9465ad8feac4f4c0 [diff]
diff --git a/private/gsid.te b/private/gsid.te
index 9d07adb..3d91eb8 100644
--- a/private/gsid.te
+++ b/private/gsid.te

@@ -69,10 +69,17 @@
 # requirement, but the kernel does not implement FIEMAP support for VFAT.
 allow gsid self:global_capability_class_set sys_rawio;
 
-# gsi_tool passes the system image over the adb connection, via stdin.
-allow gsid adbd:fd use;
-# Needed when running gsi_tool through "su root" rather than adb root.
-allow gsid adbd:unix_stream_socket rw_socket_perms;
+# Allow rules for gsi_tool.
+userdebug_or_eng(`
+  # gsi_tool passes the system image over the adb connection, via stdin.
+  allow gsid adbd:fd use;
+  # Needed when running gsi_tool through "su root" rather than adb root.
+  allow gsid adbd:unix_stream_socket rw_socket_perms;
+  # gsi_tool passes a FIFO to gsid if invoked with pipe redirection.
+  allow gsid { shell su }:fifo_file r_file_perms;
+  # Allow installing images from /storage/emulated/...
+  allow gsid sdcard_type:file r_file_perms;
+')
 
 neverallow {
   domain
commit	d482ae77d16d4affc5a6a6860c40438262b5e453	[log] [tgz]
author	Treehugger Robot <treehugger-gerrit@google.com>	Thu Sep 03 02:26:10 2020 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Thu Sep 03 02:26:10 2020 +0000
tree	f92de3efc7fea6611f3dfc42807aedd58cbb5d3d
parent	86209626ce71bba5690f31cda2862de76d32bf1f [diff]
parent	da4e51b71f77a98dbf2a34cc9465ad8feac4f4c0 [diff]