Merge "Add policy for /metadata/apex." am: 460efa2a01 am: bd415ea496

am: ff4ada393e

Change-Id: I6fe168c03b47778bec5ef70beddcadeee734033d

private/apexd.te

@@ -10,6 +10,11 @@ allow apexd apex_key_file:file r_file_perms;
 allow apexd apex_data_file:dir create_dir_perms;
 allow apexd apex_data_file:file create_file_perms;
 
+# Allow creating, reading and writing of APEX files/dirs in the APEX metadata dir
+allow apexd metadata_file:dir search;
+allow apexd apex_metadata_file:dir create_dir_perms;
+allow apexd apex_metadata_file:file create_file_perms;
+
 # allow apexd to create loop devices with /dev/loop-control
 allow apexd loop_control_device:chr_file rw_file_perms;
 # allow apexd to access loop devices
@@ -99,5 +104,7 @@ userdebug_or_eng(`
 ')
 
 neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
+neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
 neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
+neverallow { domain -apexd -init -kernel } apex_metadata_file:file no_w_file_perms;
 neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;

private/compat/26.0/26.0.ignore.cil

@@ -10,6 +10,7 @@
     adbd_exec
     app_binding_service
     apex_data_file
+    apex_metadata_file
     apex_mnt_dir
     apex_key_file
     apex_service

private/compat/27.0/27.0.ignore.cil

@@ -9,6 +9,7 @@
     adb_service
     app_binding_service
     apex_data_file
+    apex_metadata_file
     apex_mnt_dir
     apex_key_file
     apex_service

private/compat/28.0/28.0.ignore.cil

@@ -8,6 +8,7 @@
     activity_task_service
     adb_service
     apex_data_file
+    apex_metadata_file
     apex_mnt_dir
     apex_key_file
     apex_service

private/file_contexts

@@ -616,6 +616,7 @@
 # Metadata files
 #
 /metadata(/.*)?           u:object_r:metadata_file:s0
+/metadata/apex(/.*)?      u:object_r:apex_metadata_file:s0
 /metadata/vold(/.*)?      u:object_r:vold_metadata_file:s0
 /metadata/gsi(/.*)?       u:object_r:gsi_metadata_file:s0
 /metadata/password_slots(/.*)?    u:object_r:password_slot_metadata_file:s0

public/file.te

@@ -204,6 +204,8 @@ type vold_metadata_file, file_type;
 type gsi_metadata_file, file_type;
 # system_server shares Weaver slot information in /metadata
 type password_slot_metadata_file, file_type;
+# APEX files within /metadata
+type apex_metadata_file, file_type;
 
 # Type for /dev/cpu_variant:.*.
 type dev_cpu_variant, file_type;

public/vendor_init.te

@@ -55,6 +55,7 @@ allow vendor_init {
   -vendor_file_type
   -vold_metadata_file
   -gsi_metadata_file
+  -apex_metadata_file
 }:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
 
 allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
@@ -70,6 +71,7 @@ allow vendor_init {
   -vendor_file_type
   -vold_metadata_file
   -gsi_metadata_file
+  -apex_metadata_file
 }:file { create getattr open read write setattr relabelfrom unlink map };
 
 allow vendor_init {
@@ -82,6 +84,7 @@ allow vendor_init {
   -vendor_file_type
   -vold_metadata_file
   -gsi_metadata_file
+  -apex_metadata_file
 }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
 
 allow vendor_init {
@@ -95,6 +98,7 @@ allow vendor_init {
   -vendor_file_type
   -vold_metadata_file
   -gsi_metadata_file
+  -apex_metadata_file
 }:lnk_file { create getattr setattr relabelfrom unlink };
 
 allow vendor_init {
@@ -107,6 +111,7 @@ allow vendor_init {
   -vendor_file_type
   -vold_metadata_file
   -gsi_metadata_file
+  -apex_metadata_file
 }:dir_file_class_set relabelto;
 
 allow vendor_init dev_type:dir create_dir_perms;