From 15da30b6ffb58c1020b1ad56510d34865383a7f0 Mon Sep 17 00:00:00 2001
From: Calin Juravle <calin@google.com>
Date: Wed, 22 Nov 2017 00:09:25 -0800
Subject: [PATCH] Allow system server to open profiles

Allow system_server to open profile snapshots for read.
System server never reads the actual content. It passes the descriptor to
to privileged apps which acquire the permissions to inspect the profiles.

Test: installd_dexopt_test
Bug: 30934496
Change-Id: I1d1f07a05261af25f6640040af1500c9a4d5b8d5
---
 private/system_server.te | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/private/system_server.te b/private/system_server.te
index c10a617ef..1d1b92be9 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -720,6 +720,13 @@ with_asan(`
   allow system_server zygote_exec:file rx_file_perms;
 ')
 
+# ART Profiles.
+# Allow system_server to open profile snapshots for read.
+# System server never reads the actual content. It passes the descriptor to
+# to privileged apps which acquire the permissions to inspect the profiles.
+allow system_server user_profile_data_file:dir { search };
+allow system_server user_profile_data_file:file { open read };
+
 ###
 ### Neverallow rules
 ###
-- 
GitLab