Allow system server to access tmpfs files

* For some reasons CachedAppOptimizer is throwing these kinds of denials [1] it wont probably hurt to allow access to tmpfs files since system server already have access to app domain and zygote tmpfs [1] avc: denied { write } for comm="CachedAppOptimi" dev="tmpfs" ino=34884 scontext=u:r:system_server:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=0 avc: denied { write } for comm="CachedAppOptimi" dev="tmpfs" ino=16233 scontext=u:r:system_server:s0 tcontext=u:object_r:zygote_tmpfs:s0 tclass=file permissive=0 Signed-off-by: minaripenguin <[email protected]> Signed-off-by: Pranav Temkar <[email protected]> Change-Id: I9207deadabb3bb4dc75be5215e32719a4346d1ca
ProjectBlaze · Jun 17, 2024 · 5cd4b4e · 5cd4b4e
1 parent e66ea6c
commit 5cd4b4e
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/private/system_server.te b/private/system_server.te
@@ -22,7 +22,8 @@ type_transition system_server system_data_file:sock_file system_ndebug_socket "n
 # Create a socket for connections from zygotes.
 type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesocket";
 
-allow system_server zygote_tmpfs:file { map read };
+allow system_server tmpfs:file { map read write };
+allow system_server zygote_tmpfs:file { map read write };
 allow system_server appdomain_tmpfs:file { getattr map read write };
 
 # For Incremental Service to check if incfs is available