Allow service managers access to apex data.

VintfObject will monitor for /apex directory for VINTF data. Add permissions for service managers to read this data. Bug: 239055387 Test: m && boot Change-Id: I179e008dadfcb323cde58a8a460bcfa2825a7b4f
2022-07-28 16:23:42 +00:00 · 2022-07-28 16:23:42 +00:00 · ecbadbb141
commit ecbadbb141
parent 090f957d65
7 changed files with 30 additions and 0 deletions
--- a/microdroid/system/private/servicemanager.te
+++ b/microdroid/system/private/servicemanager.te
@ -28,3 +28,6 @@ set_prop(servicemanager, servicemanager_prop)

 # servicemanager is using bootstrap bionic
 use_bootstrap_libs(servicemanager)
+
+# servicemanager is using apex_info via libvintf
+use_apex_info(servicemanager)
--- a/microdroid/system/public/te_macros
+++ b/microdroid/system/public/te_macros
@ -995,3 +995,11 @@ define(`use_bootstrap_libs', `
  allow $1 system_bootstrap_lib_file:dir r_dir_perms;
  allow $1 system_bootstrap_lib_file:file { execute read open getattr map };
 ')
+
+######################################
+# use_apex_info(domain)
+# Allow access to apex information
+define(`use_apex_info', `
+  allow $1 apex_mnt_dir:dir r_dir_perms;
+  allow $1 apex_info_file:file r_file_perms;
+')
--- a/private/binderservicedomain.te
+++ b/private/binderservicedomain.te
@ -22,3 +22,5 @@ allow binderservicedomain keystore:keystore2 { get_state };
 allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };

 use_keystore(binderservicedomain)
+# binderservicedomain is using apex_info via libvintf
+use_apex_info(binderservicedomain)
--- a/private/hwservicemanager.te
+++ b/private/hwservicemanager.te
@ -10,3 +10,6 @@ set_prop(hwservicemanager, hwservicemanager_prop)

 # hwservicemanager is using bootstrap bionic
 use_bootstrap_libs(hwservicemanager)
+
+# hwservicemanager is using apex_info via libvintf
+use_apex_info(hwservicemanager)
--- a/private/keystore.te
+++ b/private/keystore.te
@ -37,3 +37,6 @@ allow keystore vold:binder transfer;
 # system property, an exception is added for init as well.
 set_prop(keystore, keystore_crash_prop)
 neverallow { domain -keystore -init } keystore_crash_prop:property_service set;
+
+# keystore is using apex_info via libvintf
+use_apex_info(keystore)
--- a/private/servicemanager.te
+++ b/private/servicemanager.te
@ -9,3 +9,6 @@ set_prop(servicemanager, servicemanager_prop)

 # servicemanager is using bootstrap bionic
 use_bootstrap_libs(servicemanager)
+
+# servicemanager is using apex_info via libvintf
+use_apex_info(servicemanager)
--- a/public/te_macros
+++ b/public/te_macros
@ -1036,3 +1036,11 @@ define(`use_bootstrap_libs', `
  allow $1 system_bootstrap_lib_file:dir r_dir_perms;
  allow $1 system_bootstrap_lib_file:file { execute read open getattr map };
 ')
+
+######################################
+# use_apex_info(domain)
+# Allow access to apex information
+define(`use_apex_info', `
+  allow $1 apex_mnt_dir:dir r_dir_perms;
+  allow $1 apex_info_file:file r_file_perms;
+')