Add apexd_payload_metadata_prop

This should be read-only and corresponds to apexd.payload_metadata.path

Bug: 191097666
Test: android-sh -c 'setprop apexd.payload_metadata.path'
See permission denied
atest MicrodroidHostTestCases

Change-Id: Ifcb7da1266769895974d4fef86139bad5891a4ec

microdroid/system/private/apexd.te

@@ -98,3 +98,6 @@ set_prop(apexd, ctl_apexd_prop)
 
 # apexd uses it to decide whether it needs to keep retrying polling for loop device.
 get_prop(apexd, cold_boot_done_prop)
+
+# apexd uses this to determine where there metadata partition is.
+get_prop(apexd, apexd_payload_metadata_prop)

microdroid/system/private/property.te

@@ -41,3 +41,9 @@ neverallow {
     -microdroid_manager
     -apkdmverity
 } microdroid_manager_roothash_prop:file no_rw_file_perms;
+
+# apexd_payload_metadata_prop can only set by init
+neverallow {
+  domain
+  -init
+} apexd_payload_metadata_prop:property_service set;

microdroid/system/private/property_contexts

@@ -165,3 +165,5 @@ heapprofd.enable u:object_r:heapprofd_prop:s0 exact bool
 # ART properties for CompOS
 dalvik.vm.                            u:object_r:dalvik_config_prop:s0 prefix
 persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0 prefix
+
+apexd.payload_metadata.path u:object_r:apexd_payload_metadata_prop:s0 exact string

microdroid/system/public/property.te

@@ -1,5 +1,6 @@
 type adbd_prop, property_type;
 type apex_config_prop, property_type;
+type apexd_payload_metadata_prop, property_type;
 type apexd_prop, property_type;
 type arm64_memtag_prop, property_type;
 type bootloader_prop, property_type;

private/apexd.te

@@ -158,6 +158,9 @@ get_prop(apexd, apexd_config_prop)
 # Allow apexd to read apex selection properties.
 # These are used to choose between multi-installed APEXes at activation time.
 get_prop(apexd, apexd_select_prop)
+#
+# Allow apexd to read apexd_payload_metadata_prop
+get_prop(apexd, apexd_payload_metadata_prop)
 
 neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
 neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;

private/property.te

@@ -1,5 +1,6 @@
 # Properties used only in /system
 system_internal_prop(adbd_prop)
+system_internal_prop(apexd_payload_metadata_prop)
 system_internal_prop(ctl_snapuserd_prop)
 system_internal_prop(device_config_lmkd_native_prop)
 system_internal_prop(device_config_profcollect_native_boot_prop)
@@ -375,6 +376,15 @@ neverallow {
   adbd_prop
 }:property_service set;
 
+neverallow {
+  # Only allow init to set apexd_payload_metadata_prop
+  domain
+  -init
+} {
+  apexd_payload_metadata_prop
+}:property_service set;
+
+
 neverallow {
   # Only allow init and shell to set userspace_reboot_test_prop
   domain

private/property_contexts

@@ -607,6 +607,7 @@ tombstoned.max_tombstone_count u:object_r:tombstone_config_prop:s0 exact int
 
 vold.post_fs_data_done u:object_r:vold_post_fs_data_prop:s0 exact int
 
+apexd.payload_metadata.path u:object_r:apexd_payload_metadata_prop:s0 exact string
 apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
 
 odsign.key.done u:object_r:odsign_prop:s0 exact bool