Merge "Allow the kernel to read staging_data_file."

private/domain.te

@@ -143,7 +143,7 @@ neverallow {
 # do not change between system_server staging the files and apexd processing
 # the files.
 neverallow { domain -init -system_server -apexd } staging_data_file:dir *;
-neverallow { domain -init -system_server -apexd } staging_data_file:file *;
+neverallow { domain -init -system_server -apexd -kernel } staging_data_file:file *;
 neverallow { domain -init -system_server } staging_data_file:dir no_w_dir_perms;
 # apexd needs the link permission, so list every `no_w_file_perms` except for `link`.
 neverallow { domain -init -system_server } staging_data_file:file

public/kernel.te

@@ -81,11 +81,12 @@ allow kernel media_rw_data_file:file create_file_perms;
 # Access to /data/misc/vold/virtual_disk.
 allow kernel vold_data_file:file { read write };
 
-# Allow the kernel to read APEX file descriptors and data files;
+# Allow the kernel to read APEX file descriptors and (staged) data files;
 # Needed because APEX uses the loopback driver, which issues requests from
 # a kernel thread in earlier kernel version.
 allow kernel apexd:fd use;
 allow kernel apex_data_file:file read;
+allow kernel staging_data_file:file read;
 
 # Allow the first-stage init (which is running in the kernel domain) to execute the
 # dynamic linker when it re-executes /init to switch into the second stage.