Add policy for /metadata/apex.
This is an area that apexd can use to store session metadata, which
won't be rolled back with filesystem checkpointing.
Bug: 126740531
Test: builds
Change-Id: I5abbc500dc1b92aa46830829be76e7a4381eef91
diff --git a/private/apexd.te b/private/apexd.te
index 5b27101..3282cfc 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -10,6 +10,11 @@
allow apexd apex_data_file:dir create_dir_perms;
allow apexd apex_data_file:file create_file_perms;
+# Allow creating, reading and writing of APEX files/dirs in the APEX metadata dir
+allow apexd metadata_file:dir search;
+allow apexd apex_metadata_file:dir create_dir_perms;
+allow apexd apex_metadata_file:file create_file_perms;
+
# allow apexd to create loop devices with /dev/loop-control
allow apexd loop_control_device:chr_file rw_file_perms;
# allow apexd to access loop devices
@@ -99,5 +104,7 @@
')
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
+neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
+neverallow { domain -apexd -init -kernel } apex_metadata_file:file no_w_file_perms;
neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index f8efdb2..d8c6e0a 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -10,6 +10,7 @@
adbd_exec
app_binding_service
apex_data_file
+ apex_metadata_file
apex_mnt_dir
apex_key_file
apex_service
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 1129259..fbd26a1 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -9,6 +9,7 @@
adb_service
app_binding_service
apex_data_file
+ apex_metadata_file
apex_mnt_dir
apex_key_file
apex_service
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 70ceaca..1b76c38 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -8,6 +8,7 @@
activity_task_service
adb_service
apex_data_file
+ apex_metadata_file
apex_mnt_dir
apex_key_file
apex_service
diff --git a/private/file_contexts b/private/file_contexts
index 33b4e18..9625acc 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -617,6 +617,7 @@
# Metadata files
#
/metadata(/.*)? u:object_r:metadata_file:s0
+/metadata/apex(/.*)? u:object_r:apex_metadata_file:s0
/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
/metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
diff --git a/public/file.te b/public/file.te
index 65b10d6..256bca5 100644
--- a/public/file.te
+++ b/public/file.te
@@ -201,6 +201,8 @@
type gsi_metadata_file, file_type;
# system_server shares Weaver slot information in /metadata
type password_slot_metadata_file, file_type;
+# APEX files within /metadata
+type apex_metadata_file, file_type;
# Type for /dev/cpu_variant:.*.
type dev_cpu_variant, file_type;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 528d8ba..fd0d6e3 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -55,6 +55,7 @@
-vendor_file_type
-vold_metadata_file
-gsi_metadata_file
+ -apex_metadata_file
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
@@ -70,6 +71,7 @@
-vendor_file_type
-vold_metadata_file
-gsi_metadata_file
+ -apex_metadata_file
}:file { create getattr open read write setattr relabelfrom unlink map };
allow vendor_init {
@@ -82,6 +84,7 @@
-vendor_file_type
-vold_metadata_file
-gsi_metadata_file
+ -apex_metadata_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
allow vendor_init {
@@ -95,6 +98,7 @@
-vendor_file_type
-vold_metadata_file
-gsi_metadata_file
+ -apex_metadata_file
}:lnk_file { create getattr setattr relabelfrom unlink };
allow vendor_init {
@@ -107,6 +111,7 @@
-vendor_file_type
-vold_metadata_file
-gsi_metadata_file
+ -apex_metadata_file
}:dir_file_class_set relabelto;
allow vendor_init dev_type:dir create_dir_perms;