From 5aebe5123c6e78a36fecfb8873aacd53e0989eaa Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Fri, 31 Mar 2017 12:39:27 -0700
Subject: [PATCH] domain: grant all domains access to zoneinfo

/data/misc/zoneinfo is provided by libc and is considered to be
VNDK stable. Grant read access to all domains and exempt from
neverallow rules asserting no vendor access to core data types.

Bug: 36730929
Test: Marlin Policy builds
Change-Id: I13766a661d6314f5393639fc20f1ab55d802f35f
---
 public/domain.te | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index bd5cb895c..29e8bb707 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -106,8 +106,8 @@ allow domain system_file:lnk_file { getattr read };
 allow domain sysfs:lnk_file read;
 
 # libc references /data/misc/zoneinfo for timezone related information
-not_full_treble(`r_dir_file(domain, zoneinfo_data_file)')
-r_dir_file({ coredomain appdomain }, zoneinfo_data_file)
+# This directory is considered to be a VNDK-stable
+r_dir_file(domain, zoneinfo_data_file)
 
 # Lots of processes access current CPU information
 r_dir_file(domain, sysfs_devices_system_cpu)
@@ -491,7 +491,10 @@ full_treble_only(`
     -coredomain
     -appdomain
     -coredata_in_vendor_violators
-  } core_data_file_type:{
+  }
+    core_data_file_type
+    -zoneinfo_data_file # VNDK stable API provided by libc
+  :{
     file_class_set
   } ~{ append getattr ioctl read write };
   # do not allow vendor component access to coredomains data directories.
@@ -502,7 +505,11 @@ full_treble_only(`
     -coredomain
     -appdomain
     -coredata_in_vendor_violators
-  } { core_data_file_type -system_data_file }:dir *;
+  } {
+    core_data_file_type
+    -system_data_file
+    -zoneinfo_data_file # VNDK stable API provided by libc
+  }:dir *;
   neverallow {
     domain
     -coredomain
-- 
GitLab