Merge "Fix virtualizationservice rules"

private/domain.te

@@ -204,7 +204,19 @@ neverallow {
 # do not change between system_server staging the files and apexd processing
 # the files.
 neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename -priv_app } staging_data_file:dir *;
-neverallow { domain -init -system_app -system_server -apexd -adbd -kernel -installd -iorap_inode2filename -priv_app } staging_data_file:file *;
+neverallow {
+  domain
+  -init
+  -system_app
+  -system_server
+  -apexd
+  -adbd
+  -kernel
+  -installd
+  -iorap_inode2filename
+  -priv_app
+  -virtualizationservice
+} staging_data_file:file *;
 neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
 # apexd needs the link and unlink permissions, so list every `no_w_file_perms`
 # except for `link` and `unlink`.

private/virtualizationservice.te

@@ -42,5 +42,12 @@ allow virtualizationservice app_data_file:file { getattr read write };
 # shell_data_file is used for automated tests and manual debugging.
 allow virtualizationservice shell_data_file:file { getattr read write };
 
+# Allow virtualizationservice to access apex files in /data/apex/{active,decompressed}
+allow virtualizationservice apex_data_file:dir search;
+allow virtualizationservice staging_data_file:file r_file_perms;
+
+# Allow virtualizationservice to read apex-info-list.xml
+allow virtualizationservice apex_info_file:file r_file_perms;
+
 # Let virtualizationservice to accept vsock connection from the guest VMs
 allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };