Merge "Add policies for permission APEX data directory." am: 4f0bf97b41 am: 587e49e0be am: 2f9d693267

Change-Id: I9371d5e90bae97ce272d4619655864f232c5c5a3
2020-01-18 00:15:31 +00:00 · 2020-01-18 00:15:31 +00:00 · 0a4efab2c8
commit 0a4efab2c8
parent 4ba36837ee 2f9d693267
6 changed files with 14 additions and 0 deletions
--- a/private/apexd.te
+++ b/private/apexd.te
@ -12,6 +12,8 @@ allow apexd apex_metadata_file:dir create_dir_perms;
 allow apexd apex_metadata_file:file create_file_perms;

 # Allow apexd to create directories for snapshots of apex data
+allow apexd apex_permission_data_file:dir create_dir_perms;
+allow apexd apex_permission_data_file:file create_file_perms;
 allow apexd apex_rollback_data_file:dir create_dir_perms;
 allow apexd apex_rollback_data_file:file create_file_perms;

--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@ -9,6 +9,7 @@
    aidl_lazy_test_server_exec
    aidl_lazy_test_service
    apex_module_data_file
+    apex_permission_data_file
    apex_rollback_data_file
    app_integrity_service
    app_search_service
--- a/private/file_contexts
+++ b/private/file_contexts
@ -506,6 +506,7 @@
 # Misc data
 /data/misc/adb(/.*)?            u:object_r:adb_keys_file:s0
 /data/misc/apexdata(/.*)?       u:object_r:apex_module_data_file:s0
+/data/misc/apexdata/com.android.permission(/.*)?    u:object_r:apex_permission_data_file:s0
 /data/misc/apexrollback(/.*)?   u:object_r:apex_rollback_data_file:s0
 /data/misc/apns(/.*)?           u:object_r:radio_data_file:s0
 /data/misc/audio(/.*)?          u:object_r:audio_data_file:s0
@ -593,6 +594,8 @@
 # Apex data directories
 /data/misc_de/[0-9]+/apexdata(/.*)?       u:object_r:apex_module_data_file:s0
 /data/misc_ce/[0-9]+/apexdata(/.*)?       u:object_r:apex_module_data_file:s0
+/data/misc_de/[0-9]+/apexdata/com.android.permission(/.*)?  u:object_r:apex_permission_data_file:s0
+/data/misc_ce/[0-9]+/apexdata/com.android.permission(/.*)?  u:object_r:apex_permission_data_file:s0

 # Apex rollback directories
 /data/misc_de/[0-9]+/apexrollback(/.*)?   u:object_r:apex_rollback_data_file:s0
--- a/private/system_server.te
+++ b/private/system_server.te
@ -1070,6 +1070,11 @@ allow system_server apex_data_file:file r_file_perms;
 allow system_server vendor_apex_file:dir { getattr search };
 allow system_server vendor_apex_file:file r_file_perms;

+# Allow the system server to manage relevant apex module data files.
+allow system_server apex_module_data_file:dir { getattr search };
+allow system_server apex_permission_data_file:dir create_dir_perms;
+allow system_server apex_permission_data_file:file create_file_perms;
+
 # Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
 # communicate which slots are available for use.
 allow system_server metadata_file:dir search;
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@ -15,6 +15,7 @@ allow vold_prepare_subdirs {
 }:dir { open read write add_name remove_name rmdir relabelfrom };
 allow vold_prepare_subdirs {
    apex_module_data_file
+    apex_permission_data_file
    apex_rollback_data_file
    backup_data_file
    face_vendor_data_file
@ -26,6 +27,7 @@ allow vold_prepare_subdirs {
 }:dir { create_dir_perms relabelto };
 allow vold_prepare_subdirs {
    apex_module_data_file
+    apex_permission_data_file
    apex_rollback_data_file
    backup_data_file
    face_vendor_data_file
--- a/public/file.te
+++ b/public/file.te
@ -345,6 +345,7 @@ type mirror_data_file, file_type, core_data_file_type;
 # /data/misc subdirectories
 type adb_keys_file, file_type, data_file_type, core_data_file_type;
 type apex_module_data_file, file_type, data_file_type, core_data_file_type;
+type apex_permission_data_file, file_type, data_file_type, core_data_file_type;
 type apex_rollback_data_file, file_type, data_file_type, core_data_file_type;
 type audio_data_file, file_type, data_file_type, core_data_file_type;
 type audioserver_data_file, file_type, data_file_type, core_data_file_type;