From 7f09a94596be98415d0546d927c8a4bc15867621 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Mon, 19 Oct 2015 09:24:04 -0700
Subject: [PATCH] Policy for priv_app domain

Verifier needs access to apk files.
avc: denied { search } for pid=11905 comm="ackageinstaller" name="vmdl2040420713.tmp" dev="dm-2" ino=13647 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=0

Give bluetooth_manager_service and trust_service the app_api_service
attribute.
avc:  denied  { find } for service=bluetooth_manager pid=7916 uid=10058 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:bluetooth_manager_service:s0 tclass=service_manager permissive=0
avc:  denied  { find } for service=trust pid=25664 uid=10069 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:trust_service:s0 tclass=service_manager permissive=0

Bug: 25066911
Change-Id: I6be695546f8a951e3329c1ec412936b8637e5835
---
 priv_app.te | 4 ++++
 service.te  | 4 ++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/priv_app.te b/priv_app.te
index 37764ebe5..ea2a8e861 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -42,6 +42,10 @@ allow priv_app media_rw_data_file:file create_file_perms;
 allow priv_app shell_data_file:file r_file_perms;
 allow priv_app shell_data_file:dir r_dir_perms;
 
+# Allow verifier to access staged apks.
+allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
+allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
+
 # b/18504118: Allow reads from /data/anr/traces.txt
 allow priv_app anr_data_file:file r_file_perms;
 
diff --git a/service.te b/service.te
index cc0bbbe44..c1772d454 100644
--- a/service.te
+++ b/service.te
@@ -24,7 +24,7 @@ type audio_service, app_api_service, system_server_service, service_manager_type
 type backup_service, app_api_service, system_server_service, service_manager_type;
 type batterystats_service, app_api_service, system_server_service, service_manager_type;
 type battery_service, system_server_service, service_manager_type;
-type bluetooth_manager_service, system_api_service, system_server_service, service_manager_type;
+type bluetooth_manager_service, app_api_service, system_server_service, service_manager_type;
 type cameraproxy_service, system_server_service, service_manager_type;
 type clipboard_service, app_api_service, system_server_service, service_manager_type;
 type IProxyService_service, system_api_service, system_server_service, service_manager_type;
@@ -87,7 +87,7 @@ type statusbar_service, app_api_service, system_server_service, service_manager_
 type task_service, system_server_service, service_manager_type;
 type textservices_service, app_api_service, system_server_service, service_manager_type;
 type telecom_service, app_api_service, system_server_service, service_manager_type;
-type trust_service, system_api_service, system_server_service, service_manager_type;
+type trust_service, app_api_service, system_server_service, service_manager_type;
 type tv_input_service, app_api_service, system_server_service, service_manager_type;
 type uimode_service, app_api_service, system_server_service, service_manager_type;
 type updatelock_service, system_api_service, system_server_service, service_manager_type;
-- 
GitLab