From 9d942049dd6b0fc62a53e974b7a260feb0e0abf8 Mon Sep 17 00:00:00 2001
From: Pawit Pornkitprasan <p.pawit@gmail.com>
Date: Thu, 11 Dec 2014 22:33:49 +0700
Subject: [PATCH] sepolicy: allow system apps to access ASEC

Required for Settings to show name/icon of apps on sd card
(permission copied from untrusted_app)

Also removed duplicate permission (from domain) in untrusted_app

(cherry picked from commit c06ed8f7b26af01132db6d09ebf69807d09aa8bf)

Bug: 18730865
Change-Id: I725d088d1d4a1256e3bfe49bc32796a54889f925
---
 system_app.te    | 3 +++
 untrusted_app.te | 1 -
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/system_app.te b/system_app.te
index ea23c81f2..0930ca076 100644
--- a/system_app.te
+++ b/system_app.te
@@ -45,6 +45,9 @@ allow system_app logd_prop:property_service set;
 allow system_app anr_data_file:dir ra_dir_perms;
 allow system_app anr_data_file:file create_file_perms;
 
+# Settings need to access app name and icon from asec
+allow system_app asec_apk_file:file r_file_perms;
+
 allow system_app system_app_service:service_manager add;
 
 allow system_app keystore:keystore_key {
diff --git a/untrusted_app.te b/untrusted_app.te
index 0dd96bded..824223771 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -32,7 +32,6 @@ allow untrusted_app app_data_file:file { rx_file_perms execmod };
 allow untrusted_app tun_device:chr_file rw_file_perms;
 
 # ASEC
-allow untrusted_app asec_apk_file:dir { getattr };
 allow untrusted_app asec_apk_file:file r_file_perms;
 # Execute libs in asec containers.
 allow untrusted_app asec_public_file:file { execute execmod };
-- 
GitLab