Allow zygote to access dir/file under /vendor/overlay

http://ag/2070347 doesn't allow zygote to read vendor_overlay_file:file anymore. But zygote isn't transitioned into idmap when executing idmap_exec. So we need to allow zygote to access dir/file under /vendor/overlay to enable idmap_exec run by zygote to read static RRO. Test: building succeeded and tested a static RRO on sailfish device. Bug: 37173452 Change-Id: Iec8a6b31d24c225f7819eeb885305f78da73b8e0

Allow zygote to access dir/file under /vendor/overlay
e360791d · Jaekyun Seok · d0e9cb05 · e360791d
Commit e360791d authored 7 years ago by Jaekyun Seok
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -51,9 +51,8 @@ allow { zygote with_dexpreopt(`-zygote') } dalvikcache_data_file:file execute;
 allow zygote idmap_exec:file rx_file_perms;
 allow zygote dex2oat_exec:file rx_file_perms;

-# /vendor/overlay existence is checked before
-# passing it on as an argument to idmap in AssetManager
-allow zygote vendor_overlay_file:dir { getattr open read search };
+# Allow apps access to /vendor/overlay
+r_dir_file(zygote, vendor_overlay_file)

 # Control cgroups.
 allow zygote cgroup:dir create_dir_perms;