From e360791d37052d632e7d39b9ee8801b5d2bb4611 Mon Sep 17 00:00:00 2001
From: Jaekyun Seok <jaekyun@google.com>
Date: Sat, 8 Apr 2017 17:00:55 +0900
Subject: [PATCH] Allow zygote to access dir/file under /vendor/overlay

http://ag/2070347 doesn't allow zygote to read vendor_overlay_file:file
anymore.
But zygote isn't transitioned into idmap when executing idmap_exec. So
we need to allow zygote to access dir/file under /vendor/overlay to
enable idmap_exec run by zygote to read static RRO.

Test: building succeeded and tested a static RRO on sailfish device.
Bug: 37173452
Change-Id: Iec8a6b31d24c225f7819eeb885305f78da73b8e0
---
 private/zygote.te | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/private/zygote.te b/private/zygote.te
index 52250f8f8..daabbc06e 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -51,9 +51,8 @@ allow { zygote with_dexpreopt(`-zygote') } dalvikcache_data_file:file execute;
 allow zygote idmap_exec:file rx_file_perms;
 allow zygote dex2oat_exec:file rx_file_perms;
 
-# /vendor/overlay existence is checked before
-# passing it on as an argument to idmap in AssetManager
-allow zygote vendor_overlay_file:dir { getattr open read search };
+# Allow apps access to /vendor/overlay
+r_dir_file(zygote, vendor_overlay_file)
 
 # Control cgroups.
 allow zygote cgroup:dir create_dir_perms;
-- 
GitLab