Merge "Adding vendor_apex_file for /vendor/apex"

am: 91c35aeab6 Change-Id: I64f45f0861ce213a464a8900699e906cdde888cb
2019-04-24 16:52:04 -07:00 · 2019-04-24 16:52:04 -07:00 · 37985b73c4
commit 37985b73c4
parent 8d18a3bd51 91c35aeab6
8 changed files with 17 additions and 2 deletions
--- a/private/apexd.te
+++ b/private/apexd.te
@ -50,6 +50,10 @@ allow apexd staging_data_file:file unlink;
 allow apexd staging_data_file:dir r_dir_perms;
 allow apexd staging_data_file:file { r_file_perms link };

+# allow apexd to read files from /vendor/apex
+allow apexd vendor_apex_file:dir r_dir_perms;
+allow apexd vendor_apex_file:file r_file_perms;
+
 # Unmount and mount filesystems
 allow apexd labeledfs:filesystem { mount unmount };

--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@ -195,6 +195,7 @@
    usbd
    usbd_exec
    usbd_tmpfs
+    vendor_apex_file
    vendor_init
    vendor_shell
    vold_metadata_file
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@ -171,6 +171,7 @@
    usbd
    usbd_exec
    usbd_tmpfs
+    vendor_apex_file
    vendor_default_prop
    vendor_init
    vendor_security_patch_level_prop
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@ -137,6 +137,7 @@
    traced_lazy_prop
    uri_grants_service
    use_memfd_prop
+    vendor_apex_file
    vendor_cgroup_desc_file
    vendor_idc_file
    vendor_keychars_file
--- a/private/file_contexts
+++ b/private/file_contexts
@ -352,6 +352,8 @@
 /(vendor|system/vendor)/overlay(/.*)?          u:object_r:vendor_overlay_file:s0
 /(vendor|system/vendor)/framework(/.*)?        u:object_r:vendor_framework_file:s0

+/vendor/apex(/[^/]+){0,2}                      u:object_r:vendor_apex_file:s0
+
 # HAL location
 /(vendor|system/vendor)/lib(64)?/hw            u:object_r:vendor_hal_file:s0

--- a/public/domain.te
+++ b/public/domain.te
@ -1003,6 +1003,7 @@ full_treble_only(`
    vendor_file_type
    -same_process_hal_file
    -vendor_app_file
+    -vendor_apex_file
    -vendor_configs_file
    -vendor_framework_file
    -vendor_idc_file
--- a/public/file.te
+++ b/public/file.te
@ -286,6 +286,8 @@ type dhcp_data_file, file_type, data_file_type, core_data_file_type;
 type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type;
 # /data/app-staging
 type staging_data_file, file_type, data_file_type, core_data_file_type;
+# /vendor/apex
+type vendor_apex_file, vendor_file_type, file_type;

 # Mount locations managed by vold
 type mnt_media_rw_file, file_type;
--- a/public/kernel.te
+++ b/public/kernel.te
@ -85,8 +85,11 @@ allow kernel vold_data_file:file { read write };
 # Needed because APEX uses the loopback driver, which issues requests from
 # a kernel thread in earlier kernel version.
 allow kernel apexd:fd use;
-allow kernel apex_data_file:file read;
-allow kernel staging_data_file:file read;
+allow kernel {
+  apex_data_file
+  staging_data_file
+  vendor_apex_file
+}:file read;

 # Allow the first-stage init (which is running in the kernel domain) to execute the
 # dynamic linker when it re-executes /init to switch into the second stage.