Allow appdomain to read dir and files under vendor_microdroid_file am: 01c4f57431 Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2960542 Change-Id: Idd6fae593bbe92fd7b15500aa0ce3c3ff1bb0013 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

commit: ec2735ac6ad079c2d914b1b200adc7aa549dd5ac [log] [tgz]
author: Seungjae Yoo <seungjaeyoo@google.com> Wed Feb 14 01:31:41 2024 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Wed Feb 14 01:31:41 2024 +0000
tree: e1b531e1fc458c3318bdd00d3ec3629ea9dd21fc
parent: ee509ccd485cf4a381d8bfaa9c5fb0926b53971c [diff]
parent: 01c4f57431b9fa44603abc49d0d10d66c6d19378 [diff]
diff --git a/private/app.te b/private/app.te
index b5bb474..1ef6ceb 100644
--- a/private/app.te
+++ b/private/app.te

@@ -146,6 +146,9 @@
 r_dir_file({ appdomain -ephemeral_app -sdk_sandbox_all }, vendor_app_file)
 allow { appdomain -ephemeral_app -sdk_sandbox_all } vendor_app_file:file execute;
 
+# Allow apps to read microdroid related files in vendor partition for CTS purpose.
+r_dir_file({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, vendor_microdroid_file)
+
 # Perform binder IPC to sdk sandbox.
 binder_call(appdomain, sdk_sandbox_all)
commit	ec2735ac6ad079c2d914b1b200adc7aa549dd5ac	[log] [tgz]
author	Seungjae Yoo <seungjaeyoo@google.com>	Wed Feb 14 01:31:41 2024 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	Wed Feb 14 01:31:41 2024 +0000
tree	e1b531e1fc458c3318bdd00d3ec3629ea9dd21fc
parent	ee509ccd485cf4a381d8bfaa9c5fb0926b53971c [diff]
parent	01c4f57431b9fa44603abc49d0d10d66c6d19378 [diff]