Snap for 7110301 from 380766429303a99d85a58cd4c26f0ed6c9d984eb to android10-tests-release
Change-Id: I1925280c9448c3f44bb275f9028c4727ebccd6ff
diff --git a/prebuilts/api/29.0/private/coredomain.te b/prebuilts/api/29.0/private/coredomain.te
index 169f6b2..705483b 100644
--- a/prebuilts/api/29.0/private/coredomain.te
+++ b/prebuilts/api/29.0/private/coredomain.te
@@ -82,7 +82,7 @@
-webview_zygote
-zygote
userdebug_or_eng(`-heapprofd')
- } vendor_overlay_file:file r_file_perms;
+ } vendor_overlay_file:file open;
')
# Core domains are not permitted to use kernel interfaces which are not
diff --git a/prebuilts/api/29.0/public/drmserver.te b/prebuilts/api/29.0/public/drmserver.te
index b7b641c..b7d4057 100644
--- a/prebuilts/api/29.0/public/drmserver.te
+++ b/prebuilts/api/29.0/public/drmserver.te
@@ -48,6 +48,9 @@
allow drmserver oemfs:dir search;
allow drmserver oemfs:file r_file_perms;
+# overlay package access
+allow drmserver vendor_overlay_file:file { read map };
+
add_service(drmserver, drmserver_service)
allow drmserver permission_service:service_manager find;
diff --git a/prebuilts/api/29.0/public/mediaextractor.te b/prebuilts/api/29.0/public/mediaextractor.te
index 4bedb0f..859ec9c 100644
--- a/prebuilts/api/29.0/public/mediaextractor.te
+++ b/prebuilts/api/29.0/public/mediaextractor.te
@@ -34,6 +34,9 @@
allow mediaextractor asec_apk_file:file { read getattr };
allow mediaextractor ringtone_file:file { read getattr };
+# overlay package access
+allow mediaextractor vendor_overlay_file:file { read map };
+
# scan extractor library directory to dynamically load extractors
allow mediaextractor system_file:dir { read open };
diff --git a/prebuilts/api/29.0/public/mediaserver.te b/prebuilts/api/29.0/public/mediaserver.te
index 70d0a55..8672eac 100644
--- a/prebuilts/api/29.0/public/mediaserver.te
+++ b/prebuilts/api/29.0/public/mediaserver.te
@@ -131,6 +131,9 @@
# b/120491318 allow mediaserver to access void:fd
allow mediaserver vold:fd use;
+# overlay package access
+allow mediaserver vendor_overlay_file:file { read getattr map };
+
hal_client_domain(mediaserver, hal_allocator)
###
diff --git a/private/coredomain.te b/private/coredomain.te
index 169f6b2..705483b 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -82,7 +82,7 @@
-webview_zygote
-zygote
userdebug_or_eng(`-heapprofd')
- } vendor_overlay_file:file r_file_perms;
+ } vendor_overlay_file:file open;
')
# Core domains are not permitted to use kernel interfaces which are not
diff --git a/public/drmserver.te b/public/drmserver.te
index b7b641c..b7d4057 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -48,6 +48,9 @@
allow drmserver oemfs:dir search;
allow drmserver oemfs:file r_file_perms;
+# overlay package access
+allow drmserver vendor_overlay_file:file { read map };
+
add_service(drmserver, drmserver_service)
allow drmserver permission_service:service_manager find;
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 4bedb0f..859ec9c 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -34,6 +34,9 @@
allow mediaextractor asec_apk_file:file { read getattr };
allow mediaextractor ringtone_file:file { read getattr };
+# overlay package access
+allow mediaextractor vendor_overlay_file:file { read map };
+
# scan extractor library directory to dynamically load extractors
allow mediaextractor system_file:dir { read open };
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 70d0a55..8672eac 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -131,6 +131,9 @@
# b/120491318 allow mediaserver to access void:fd
allow mediaserver vold:fd use;
+# overlay package access
+allow mediaserver vendor_overlay_file:file { read getattr map };
+
hal_client_domain(mediaserver, hal_allocator)
###
