Allow apexd to talk to vold.

am: 1f1c4c3fa5 Change-Id: If0dacd4bf99226d74e1906ad9ea63908d4a1fb90
2019-03-14 00:30:36 -07:00 · 2019-03-14 00:30:36 -07:00 · e9b10d0efa
commit e9b10d0efa
parent 301e0e366c 1f1c4c3fa5
2 changed files with 13 additions and 2 deletions
--- a/private/apexd.te
+++ b/private/apexd.te
@ -80,6 +80,10 @@ allow apexd kmsg_device:chr_file w_file_perms;
 # not covered by rollback manager.
 set_prop(apexd, powerctl_prop)

+# Find the vold service, and call into vold to manage FS checkpoints
+allow apexd vold_service:service_manager find;
+binder_call(apexd, vold)
+
 # Apex pre- & post-install permission.

 # Allow self-execute for the fork mount helper.
--- a/public/vold.te
+++ b/public/vold.te
@ -290,8 +290,15 @@ neverallow {

 neverallow { domain -vold -init } restorecon_prop:property_service set;

-# Only system_server and vdc can interact with vold over binder
-neverallow { domain -system_server -vdc -vold -update_verifier } vold_service:service_manager find;
+neverallow {
+    domain
+    -system_server
+    -vdc
+    -vold
+    -update_verifier
+    -apexd
+} vold_service:service_manager find;
+
 neverallow vold {
  domain
  -ashmemd