From 8ff6a86da526b18951c24a7971d71aac15f0fbca Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 1 Dec 2015 16:28:28 -0800
Subject: [PATCH] Add permissions back to app / shell domains

Allow directory reads to allow tab completion in rootfs to work.

"pm" is crashing due to failure to access /data/dalvik-cache. Add
back in the permissions from domain_deprecated.

Allow /sdcard to work again.

Bug: 25954400
Change-Id: I48cfa92fabfa47ed3007a63b85284659ba94ea73
---
 app.te   | 10 ++++++++++
 shell.te |  3 +++
 2 files changed, 13 insertions(+)

diff --git a/app.te b/app.te
index 78da5b725..bc4246586 100644
--- a/app.te
+++ b/app.te
@@ -29,6 +29,16 @@ allow appdomain zygote:process sigchld;
 allow appdomain cgroup:dir { search write };
 allow appdomain cgroup:file w_file_perms;
 
+# Read /data/dalvik-cache.
+allow appdomain dalvikcache_data_file:dir { search getattr };
+allow appdomain dalvikcache_data_file:file r_file_perms;
+
+# Read the /sdcard symlink
+allow appdomain rootfs:lnk_file r_file_perms;
+
+# Search /storage/emulated tmpfs mount.
+allow appdomain tmpfs:dir r_dir_perms;
+
 userdebug_or_eng(`
   # Notify zygote of the wrapped process PID when using --invoke-with.
   allow appdomain zygote:fifo_file write;
diff --git a/shell.te b/shell.te
index 2a3faecb2..a02fbd00f 100644
--- a/shell.te
+++ b/shell.te
@@ -25,6 +25,9 @@ userdebug_or_eng(`
 allow shell adbd:fd use;
 allow shell adbd:unix_stream_socket { read write ioctl getattr };
 
+# Root fs.
+allow shell rootfs:dir r_dir_perms;
+
 # read files in /data/anr
 allow shell anr_data_file:dir r_dir_perms;
 allow shell anr_data_file:file r_file_perms;