From b85acbb8890263c7ae0be5496729b33d65cad39b Mon Sep 17 00:00:00 2001
From: Martijn Coenen <maco@google.com>
Date: Wed, 16 Jan 2019 13:52:50 +0100
Subject: [PATCH] Allow the kernel to read staging_data_file.

These are APEX files in /data/staging, and will be accessed by the loop
driver in the kernel.

Bug: 118865310
Test: no denials on emulator
Change-Id: I5c849b6677566cb00d28011352b9dc6b787a0bc4
---
 private/domain.te | 2 +-
 public/kernel.te  | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/private/domain.te b/private/domain.te
index bc1defb63..e33a9cd4d 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -143,7 +143,7 @@ neverallow {
 # do not change between system_server staging the files and apexd processing
 # the files.
 neverallow { domain -init -system_server -apexd } staging_data_file:dir *;
-neverallow { domain -init -system_server -apexd } staging_data_file:file *;
+neverallow { domain -init -system_server -apexd -kernel } staging_data_file:file *;
 neverallow { domain -init -system_server } staging_data_file:dir no_w_dir_perms;
 # apexd needs the link permission, so list every `no_w_file_perms` except for `link`.
 neverallow { domain -init -system_server } staging_data_file:file
diff --git a/public/kernel.te b/public/kernel.te
index d3a60790b..50e72c2b1 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -81,11 +81,12 @@ allow kernel media_rw_data_file:file create_file_perms;
 # Access to /data/misc/vold/virtual_disk.
 allow kernel vold_data_file:file { read write };
 
-# Allow the kernel to read APEX file descriptors and data files;
+# Allow the kernel to read APEX file descriptors and (staged) data files;
 # Needed because APEX uses the loopback driver, which issues requests from
 # a kernel thread in earlier kernel version.
 allow kernel apexd:fd use;
 allow kernel apex_data_file:file read;
+allow kernel staging_data_file:file read;
 
 # Allow the first-stage init (which is running in the kernel domain) to execute the
 # dynamic linker when it re-executes /init to switch into the second stage.
-- 
GitLab