Merge changes I179c05b3,Ia529ede4

* changes: Add dac_read_search to apexd to prevent spurious denials. Allow apexd to execute toybox for snapshot & restore.
2020-01-31 10:05:21 +00:00 · 2020-01-31 10:05:21 +00:00 · 2b44078cac
commit 2b44078cac
parent 89946d7e1b 7e346c98fc
1 changed files with 4 additions and 1 deletions
--- a/private/apexd.te
+++ b/private/apexd.te
@ -45,7 +45,7 @@ allow apexd dm_device:blk_file rw_file_perms;

 # sys_admin is required to access the device-mapper and mount
 # dac_override, chown, and fowner are needed for snapshot and restore
-allow apexd self:global_capability_class_set { sys_admin chown dac_override fowner };
+allow apexd self:global_capability_class_set { sys_admin chown dac_override dac_read_search fowner };

 # Note: fsetid is deliberately not included above. fsetid checks are
 # triggered by chmod on a directory or file owned by a group other
@ -139,6 +139,9 @@ create_pty(apexd)
 # Allow apexd to read file contexts when performing restorecon of snapshots.
 allow apexd file_contexts_file:file r_file_perms;

+# Allow apexd to execute toybox for snapshot & restore
+allow apexd toolbox_exec:file rx_file_perms;
+
 neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
 neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
 neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;