Adding /odm support
/odm partition isn't mandatory and the following symlinks will exist on
a device without /odm partition.
/odm/app ->/vendor/odm/app
/odm/bin ->/vendor/odm/bin
/odm/etc ->/vendor/odm/etc
/odm/firmware ->/vendor/odm/firmware
/odm/framework ->/vendor/odm/framework
/odm/lib -> /vendor/odm/lib
/odm/lib64 -> /vendor/odm/lib64
/odm/overlay -> /vendor/odm/overlay
/odm/priv-app -> /vendor/odm/priv-app
This CL allows all domains to access the symlinks, also removes the
Treble compliance neverallows on them because the actual restrictions
should apply to the real path directly.
Bug: 70678783
Test: boot a device
Change-Id: If1522780a13710d8a592272dc688685cbae29f52
diff --git a/public/domain.te b/public/domain.te
index fc9c0a9..b079b07 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -180,8 +180,9 @@
allow domain vendor_configs_file:file { read open getattr };
full_treble_only(`
- # Allow all domains to be able to follow /system/vendor symlink
- allow domain vendor_file:lnk_file { getattr open read };
+ # Allow all domains to be able to follow /system/vendor and/or
+ # /vendor/odm symlinks.
+ allow domain vendor_file_type:lnk_file { getattr open read };
# This is required to be able to search & read /vendor/lib64
# in order to lookup vendor libraries. The execute permission
@@ -912,7 +913,7 @@
userdebug_or_eng(`-perfprofd')
-postinstall_dexopt
-system_server
- } vendor_app_file:{ file lnk_file } r_file_perms;
+ } vendor_app_file:file r_file_perms;
')
full_treble_only(`
@@ -939,7 +940,7 @@
-system_server
-webview_zygote
-zygote
- } vendor_overlay_file:{ file lnk_file } r_file_perms;
+ } vendor_overlay_file:file r_file_perms;
')
full_treble_only(`