commit eb1cf76b70f74ae5d2ab60a5e50f37f2fd740d4b
author Daniel Rosenberg <drosen@google.com> Fri Jul 12 16:33:43 2019 -0700
committer android-build-team Robot <android-build-team-robot@google.com> Tue Jul 16 02:55:25 2019 +0000
tree 96aebf4ccdada92edef2dbca89c8752469e59f39
parent 097deb63acdc1e491a76aa04de2acf1d1fcd51f4

sepolicy: Adjust policy for migrate_legacy_obb_data.sh

Required to check if migration is necessary and migrate obb contents

Bug: 136199978
Test: make
Change-Id: I23890e4eeea1da7791e25ce5c9584b1abe94f440
(cherry picked from commit 793dc8f8da2bbcb954670bfbd53a0038328e8473)

prebuilts/api/29.0/private/migrate_legacy_obb_data.te

diff --git a/prebuilts/api/29.0/private/migrate_legacy_obb_data.te b/prebuilts/api/29.0/private/migrate_legacy_obb_data.te
index 4bc1e2c..b2a1fb1 100644
--- a/prebuilts/api/29.0/private/migrate_legacy_obb_data.te
+++ b/prebuilts/api/29.0/private/migrate_legacy_obb_data.te
@@ -10,6 +10,14 @@
 
 allow migrate_legacy_obb_data self:capability { chown dac_override dac_read_search fowner fsetid };
 
+allow migrate_legacy_obb_data mnt_user_file:dir search;
+allow migrate_legacy_obb_data mnt_user_file:lnk_file read;
+allow migrate_legacy_obb_data storage_file:dir search;
+allow migrate_legacy_obb_data storage_file:lnk_file read;
+
+allow migrate_legacy_obb_data sdcard_type:dir create_dir_perms;
+allow migrate_legacy_obb_data sdcard_type:file create_file_perms;
+
 # TODO: This should not be necessary. We don't deliberately hand over
 # any open file descriptors to this domain, so anything that triggers this
 # should be a candidate for O_CLOEXEC.

private/migrate_legacy_obb_data.te

diff --git a/private/migrate_legacy_obb_data.te b/private/migrate_legacy_obb_data.te
index 4bc1e2c..b2a1fb1 100644
--- a/private/migrate_legacy_obb_data.te
+++ b/private/migrate_legacy_obb_data.te
@@ -10,6 +10,14 @@
 
 allow migrate_legacy_obb_data self:capability { chown dac_override dac_read_search fowner fsetid };
 
+allow migrate_legacy_obb_data mnt_user_file:dir search;
+allow migrate_legacy_obb_data mnt_user_file:lnk_file read;
+allow migrate_legacy_obb_data storage_file:dir search;
+allow migrate_legacy_obb_data storage_file:lnk_file read;
+
+allow migrate_legacy_obb_data sdcard_type:dir create_dir_perms;
+allow migrate_legacy_obb_data sdcard_type:file create_file_perms;
+
 # TODO: This should not be necessary. We don't deliberately hand over
 # any open file descriptors to this domain, so anything that triggers this
 # should be a candidate for O_CLOEXEC.