Allow appdomain to read dir and files under vendor_microdroid_file am: 01c4f57431 am: ec2735ac6a Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2960542 Change-Id: Ic955ed19db22984e84b63026b795c18626963b78 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

commit: 0955074de3be637ce24ca0b85dab6896344ae104 [log] [tgz]
author: Seungjae Yoo <seungjaeyoo@google.com> Wed Feb 14 02:11:28 2024 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Wed Feb 14 02:11:28 2024 +0000
tree: 32247b11b16f498e4c4f09cc4f957c46f7dd2abe
parent: 34090002871a6141438f8bf6e953dff5f5827e17 [diff]
parent: ec2735ac6ad079c2d914b1b200adc7aa549dd5ac [diff]
diff --git a/private/app.te b/private/app.te
index b5bb474..1ef6ceb 100644
--- a/private/app.te
+++ b/private/app.te

@@ -146,6 +146,9 @@
 r_dir_file({ appdomain -ephemeral_app -sdk_sandbox_all }, vendor_app_file)
 allow { appdomain -ephemeral_app -sdk_sandbox_all } vendor_app_file:file execute;
 
+# Allow apps to read microdroid related files in vendor partition for CTS purpose.
+r_dir_file({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, vendor_microdroid_file)
+
 # Perform binder IPC to sdk sandbox.
 binder_call(appdomain, sdk_sandbox_all)
commit	0955074de3be637ce24ca0b85dab6896344ae104	[log] [tgz]
author	Seungjae Yoo <seungjaeyoo@google.com>	Wed Feb 14 02:11:28 2024 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	Wed Feb 14 02:11:28 2024 +0000
tree	32247b11b16f498e4c4f09cc4f957c46f7dd2abe
parent	34090002871a6141438f8bf6e953dff5f5827e17 [diff]
parent	ec2735ac6ad079c2d914b1b200adc7aa549dd5ac [diff]