Allow rule to let settings access apex files
In order to show licensing information, we need to read it from an asset stored in the .apex file. Bug: 135183006 Test: Manual; settings can access apex files stored on /data Change-Id: I71fbde6e295d9c890c9b9b0449e5150834a6680e Merged-In: I71fbde6e295d9c890c9b9b0449e5150834a6680e
This commit is contained in:
parent
72a75ffe19
commit
9067699d9d
@ -169,7 +169,7 @@ neverallow {
|
||||
# do not change between system_server staging the files and apexd processing
|
||||
# the files.
|
||||
neverallow { domain -init -system_server -apexd -installd} staging_data_file:dir *;
|
||||
neverallow { domain -init -system_server -apexd -kernel -installd } staging_data_file:file *;
|
||||
neverallow { domain -init -system_app -system_server -apexd -kernel -installd } staging_data_file:file *;
|
||||
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
|
||||
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
|
||||
# except for `link` and `unlink`.
|
||||
|
@ -24,6 +24,12 @@ allow system_app misc_user_data_file:file create_file_perms;
|
||||
# Access to vold-mounted storage for measuring free space
|
||||
allow system_app mnt_media_rw_file:dir search;
|
||||
|
||||
# Access to apex files stored on /data (b/136063500)
|
||||
# Needed so that Settings can access NOTICE files inside apex
|
||||
# files located in the assets/ directory.
|
||||
allow system_app apex_data_file:dir search;
|
||||
allow system_app staging_data_file:file r_file_perms;
|
||||
|
||||
# Read wallpaper file.
|
||||
allow system_app wallpaper_file:file r_file_perms;
|
||||
|
||||
|
@ -1011,7 +1011,7 @@ wakelock_use(system_server)
|
||||
# needs these privileges to compare file signatures while processing installs.
|
||||
#
|
||||
# Only apexd is allowed to create new entries or write to any file under /data/apex.
|
||||
allow system_server apex_data_file:dir search;
|
||||
allow system_server apex_data_file:dir { getattr search };
|
||||
allow system_server apex_data_file:file r_file_perms;
|
||||
|
||||
# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
|
||||
|
@ -169,7 +169,7 @@ neverallow {
|
||||
# do not change between system_server staging the files and apexd processing
|
||||
# the files.
|
||||
neverallow { domain -init -system_server -apexd -installd} staging_data_file:dir *;
|
||||
neverallow { domain -init -system_server -apexd -kernel -installd } staging_data_file:file *;
|
||||
neverallow { domain -init -system_app -system_server -apexd -kernel -installd } staging_data_file:file *;
|
||||
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
|
||||
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
|
||||
# except for `link` and `unlink`.
|
||||
|
@ -24,6 +24,12 @@ allow system_app misc_user_data_file:file create_file_perms;
|
||||
# Access to vold-mounted storage for measuring free space
|
||||
allow system_app mnt_media_rw_file:dir search;
|
||||
|
||||
# Access to apex files stored on /data (b/136063500)
|
||||
# Needed so that Settings can access NOTICE files inside apex
|
||||
# files located in the assets/ directory.
|
||||
allow system_app apex_data_file:dir search;
|
||||
allow system_app staging_data_file:file r_file_perms;
|
||||
|
||||
# Read wallpaper file.
|
||||
allow system_app wallpaper_file:file r_file_perms;
|
||||
|
||||
|
@ -1011,7 +1011,7 @@ wakelock_use(system_server)
|
||||
# needs these privileges to compare file signatures while processing installs.
|
||||
#
|
||||
# Only apexd is allowed to create new entries or write to any file under /data/apex.
|
||||
allow system_server apex_data_file:dir search;
|
||||
allow system_server apex_data_file:dir { getattr search };
|
||||
allow system_server apex_data_file:file r_file_perms;
|
||||
|
||||
# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
|
||||
|
Loading…
Reference in New Issue
Block a user