Allow apexd to execute toybox for snapshot & restore.

This allows apexd to execute "cp" to perform snapshot and restore operations. Other rules for this were added in aosp/1217340, but this one was missed. Bug: 141148175 Test: atest StagedRollbackTest#testRollbackApexDataDirectories_DeSys Change-Id: Ia529ede468578bfadc87e049a2c0ab4f87e1c43d
2020-01-30 16:46:40 +00:00 · 2020-01-30 16:46:40 +00:00 · 1a775e077b
commit 1a775e077b
parent 4ea62412b8
1 changed files with 3 additions and 0 deletions
--- a/private/apexd.te
+++ b/private/apexd.te
@ -139,6 +139,9 @@ create_pty(apexd)
 # Allow apexd to read file contexts when performing restorecon of snapshots.
 allow apexd file_contexts_file:file r_file_perms;

+# Allow apexd to execute toybox for snapshot & restore
+allow apexd toolbox_exec:file rx_file_perms;
+
 neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
 neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
 neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;