From 04654427f1e3a81f1a5c9810f2fffd642ad803eb Mon Sep 17 00:00:00 2001
From: Sandeep Patil <sspatil@google.com>
Date: Wed, 19 Apr 2017 11:35:15 -0700
Subject: [PATCH] Allow access to /proc/config.gz for priv_app and recovery

Bug: 37485771
Test: sideloaded OTA through recovery on sailfish

Change-Id: I98bb4e0e919db585131391f57545f1a9a0096701
Signed-off-by: Sandeep Patil <sspatil@google.com>
---
 private/priv_app.te | 3 +++
 public/recovery.te  | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/private/priv_app.te b/private/priv_app.te
index bb7598e49..065ea1ad3 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -82,6 +82,9 @@ r_dir_file(priv_app, sysfs_type)
 r_dir_file(priv_app, proc)
 r_dir_file(priv_app, rootfs)
 
+# Allow GMS core to open kernel config for OTA matching through libvintf
+allow priv_app config_gz:file { open read getattr };
+
 # access the mac address
 allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
 
diff --git a/public/recovery.te b/public/recovery.te
index 886f4fd48..f0ac97dc4 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -51,6 +51,9 @@ recovery_only(`
   # Write to /proc/sys/vm/drop_caches
   allow recovery proc_drop_caches:file w_file_perms;
 
+  # Read kernel config through libvintf for OTA matching
+  allow recovery config_gz:file { open read getattr };
+
   # Write to /sys/class/android_usb/android0/enable.
   # TODO: create more specific label?
   allow recovery sysfs:file w_file_perms;
-- 
GitLab