Add dac_read_search to apexd to prevent spurious denials.
As apexd now has dac_override, it should also have dac_read_search to avoid spurious denials. Bug: 141148175 Test: Build, run apex installation, check denials. Change-Id: I179c05b36ae0fe62d943ca59ee7f8158507f1f10
This commit is contained in:
parent
1a775e077b
commit
7e346c98fc
@ -45,7 +45,7 @@ allow apexd dm_device:blk_file rw_file_perms;
|
||||
|
||||
# sys_admin is required to access the device-mapper and mount
|
||||
# dac_override, chown, and fowner are needed for snapshot and restore
|
||||
allow apexd self:global_capability_class_set { sys_admin chown dac_override fowner };
|
||||
allow apexd self:global_capability_class_set { sys_admin chown dac_override dac_read_search fowner };
|
||||
|
||||
# Note: fsetid is deliberately not included above. fsetid checks are
|
||||
# triggered by chmod on a directory or file owned by a group other
|
||||
|
Loading…
Reference in New Issue
Block a user