Allow system server to open profiles

Allow system_server to open profile snapshots for read. System server never reads the actual content. It passes the descriptor to to privileged apps which acquire the permissions to inspect the profiles. Test: installd_dexopt_test Bug: 30934496 Change-Id: I1d1f07a05261af25f6640040af1500c9a4d5b8d5

Allow system server to open profiles
15da30b6 · Calin Juravle · 4081fd39 · 15da30b6
Commit 15da30b6 authored 7 years ago by Calin Juravle
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -720,6 +720,13 @@ with_asan(`
  allow system_server zygote_exec:file rx_file_perms;
 ')

+# ART Profiles.
+# Allow system_server to open profile snapshots for read.
+# System server never reads the actual content. It passes the descriptor to
+# to privileged apps which acquire the permissions to inspect the profiles.
+allow system_server user_profile_data_file:dir { search };
+allow system_server user_profile_data_file:file { open read };
+
 ###
 ### Neverallow rules
 ###