From 1a775e077b5d7266be3efb43fadaf4d387e14b4b Mon Sep 17 00:00:00 2001
From: Oli Lan <olilan@google.com>
Date: Thu, 30 Jan 2020 16:46:40 +0000
Subject: [PATCH] Allow apexd to execute toybox for snapshot & restore.

This allows apexd to execute "cp" to perform snapshot and
restore operations.

Other rules for this were added in aosp/1217340, but this one was
missed.

Bug: 141148175
Test: atest StagedRollbackTest#testRollbackApexDataDirectories_DeSys
Change-Id: Ia529ede468578bfadc87e049a2c0ab4f87e1c43d
---
 private/apexd.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/private/apexd.te b/private/apexd.te
index 7f1d099ef..faff8c659 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -139,6 +139,9 @@ create_pty(apexd)
 # Allow apexd to read file contexts when performing restorecon of snapshots.
 allow apexd file_contexts_file:file r_file_perms;
 
+# Allow apexd to execute toybox for snapshot & restore
+allow apexd toolbox_exec:file rx_file_perms;
+
 neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
 neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
 neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;